azure/login
1
0
Fork 0
mirror of https://github.com/azure/login.git synced 2026-03-15 09:20:56 -04:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: azure:yanxu/node24_test
Branches Tags
azure:master azure:yanxu/node24_test azure:dependabot/npm_and_yarn/lodash-4.17.23 azure:dependabot/npm_and_yarn/js-yaml-3.14.2 azure:releases/v2.3.0 azure:yanxu/node24 azure:releases/v2.2.0 azure:sy/improve-cleanup0409 azure:fix-459 azure:releases/v2.1.1 azure:hf_447_release azure:releases/v2.1.0 azure:sy/improve-cleanup0409-release azure:sy/ncc-test azure:releases/v2 azure:update-node16to20-test azure:releases/v1.6.1 azure:fix-403-release azure:releases/v1.6.0 azure:releases/v1.5.1 azure:releases/v1.5.0 azure:jiasli/add_testcases azure:releases/v1 azure:jbenaventem-master azure:N-Usha-patch-1 azure:version-pattern-quickfix-releases azure:version-pattern-quickfix azure:id-token-errormsg azure:id-token-errormsg-releases azure:error-message azure:releases-docs azure:docs azure:master-token-logs azure:token-logs azure:releasesv1-readme azure:readme-changes azure:master-logs azure:oidc-support-logs azure:oidc-support azure:master-changes azure:oidc-support-master azure:oidc-support-ps azure:kanika/releaseTest azure:N-Usha-patch-OIDC azure:BALAGA-GAYATRI-patch-2 azure:ps-login azure:users/balaga-gayatri/test-automation azure:users/balaga-gayatri/testing azure:BALAGA-GAYATRI-patch-1 azure:kanika/prTest azure:users/balaga-gayatri/docs azure:users/balaga-gayatri/defaultlabels azure:users/balaga-gayatri/developer-guidelines azure:users/arjgupta/add-svgn-gov-cloud-support-release azure:azuresovereigncloud azure:releases/azcloud-v1 azure:users/aksm-ms/az-cli-version-debug-log azure:users/aksm/escape-az-cli-params-releases azure:users/aksm/escape-az-cli-params azure:ganeshrockz/updateReadme azure:users/aksm/az-version-master azure:users/aksm-ms/allow-no-subscription-releases azure:users/aksm/az-version-2 azure:ganeshrockz/no-subscription-login azure:ganeshrockz/test-branch-v1 azure:users/aksm/releases-updating-telemetry-repo-name azure:users/aksm/readme-version-update azure:users/amkawade/dependabot azure:dependabot/npm_and_yarn/lodash-4.17.19 azure:AmrutaKawade-patch-1 azure:AzureStackSupport-Beta azure:special-char-fix-master azure:special-char-fix-releasev1 azure:windows-fix azure:releases/v2-beta azure:silent-login-calls azure:suers/suaggar/addinguseragent
azure:v2 azure:v2.3.0 azure:v2.2.0 azure:v2.1.1 azure:v1 azure:v2.1.0 azure:v2.0.0 azure:v1.6.1 azure:v1.6.0 azure:v1.5.1 azure:v1.5.0 azure:v1.4.6 azure:v1.4.7 azure:v1.4.5 azure:v1.4.4 azure:v1.4.3 azure:v1.4.2 azure:v1.4.1 azure:v1.4.0 azure:v1.3.0 azure:v1.1 azure:v1.2.4 azure:v1.2.3 azure:v1.2.2 azure:v1.1.2 azure:v1.1.1 azure:v1.1.0
..
compare: azure:releases/v2.1.0
Branches Tags
azure:yanxu/node24_test azure:dependabot/npm_and_yarn/lodash-4.17.23 azure:dependabot/npm_and_yarn/js-yaml-3.14.2 azure:releases/v2.3.0 azure:master azure:yanxu/node24 azure:releases/v2.2.0 azure:sy/improve-cleanup0409 azure:fix-459 azure:releases/v2.1.1 azure:hf_447_release azure:releases/v2.1.0 azure:sy/improve-cleanup0409-release azure:sy/ncc-test azure:releases/v2 azure:update-node16to20-test azure:releases/v1.6.1 azure:fix-403-release azure:releases/v1.6.0 azure:releases/v1.5.1 azure:releases/v1.5.0 azure:jiasli/add_testcases azure:releases/v1 azure:jbenaventem-master azure:N-Usha-patch-1 azure:version-pattern-quickfix-releases azure:version-pattern-quickfix azure:id-token-errormsg azure:id-token-errormsg-releases azure:error-message azure:releases-docs azure:docs azure:master-token-logs azure:token-logs azure:releasesv1-readme azure:readme-changes azure:master-logs azure:oidc-support-logs azure:oidc-support azure:master-changes azure:oidc-support-master azure:oidc-support-ps azure:kanika/releaseTest azure:N-Usha-patch-OIDC azure:BALAGA-GAYATRI-patch-2 azure:ps-login azure:users/balaga-gayatri/test-automation azure:users/balaga-gayatri/testing azure:BALAGA-GAYATRI-patch-1 azure:kanika/prTest azure:users/balaga-gayatri/docs azure:users/balaga-gayatri/defaultlabels azure:users/balaga-gayatri/developer-guidelines azure:users/arjgupta/add-svgn-gov-cloud-support-release azure:azuresovereigncloud azure:releases/azcloud-v1 azure:users/aksm-ms/az-cli-version-debug-log azure:users/aksm/escape-az-cli-params-releases azure:users/aksm/escape-az-cli-params azure:ganeshrockz/updateReadme azure:users/aksm/az-version-master azure:users/aksm-ms/allow-no-subscription-releases azure:users/aksm/az-version-2 azure:ganeshrockz/no-subscription-login azure:ganeshrockz/test-branch-v1 azure:users/aksm/releases-updating-telemetry-repo-name azure:users/aksm/readme-version-update azure:users/amkawade/dependabot azure:dependabot/npm_and_yarn/lodash-4.17.19 azure:AmrutaKawade-patch-1 azure:AzureStackSupport-Beta azure:special-char-fix-master azure:special-char-fix-releasev1 azure:windows-fix azure:releases/v2-beta azure:silent-login-calls azure:suers/suaggar/addinguseragent
azure:v2 azure:v2.3.0 azure:v2.2.0 azure:v2.1.1 azure:v1 azure:v2.1.0 azure:v2.0.0 azure:v1.6.1 azure:v1.6.0 azure:v1.5.1 azure:v1.5.0 azure:v1.4.6 azure:v1.4.7 azure:v1.4.5 azure:v1.4.4 azure:v1.4.3 azure:v1.4.2 azure:v1.4.1 azure:v1.4.0 azure:v1.3.0 azure:v1.1 azure:v1.2.4 azure:v1.2.3 azure:v1.2.2 azure:v1.1.2 azure:v1.1.1 azure:v1.1.0

1 Commits
yanxu/node ... releases/v

Author SHA1 Message Date
MoChilia
6b2456866f prepare release v2.1.0 2024-04-16 14:01:37 +08:00
28 changed files with 467 additions and 1179 deletions
Expand all files Collapse all files

41
.github/workflows/azure-login-negative.yml vendored
View File

@@ -21,10 +21,10 @@ jobs:
- name: 'Checking out repo code' - name: 'Checking out repo code'
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Set Node.js 24.x for GitHub Action - name: Set Node.js 20.x for GitHub Action
uses: actions/setup-node@v4 uses: actions/setup-node@v4
with: with:
node-version: 24.x node-version: 20.x
- name: 'Validate build' - name: 'Validate build'
run: | run: |
@@ -84,10 +84,10 @@ jobs:
- name: 'Checking out repo code' - name: 'Checking out repo code'
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Set Node.js 24.x for GitHub Action - name: Set Node.js 20.x for GitHub Action
uses: actions/setup-node@v4 uses: actions/setup-node@v4
with: with:
node-version: 24.x node-version: 20.x
- name: 'Validate build' - name: 'Validate build'
run: | run: |
@@ -333,3 +333,36 @@ jobs:
with: with:
script: | script: |
core.setFailed('Last action should fail but not. Please check it.') core.setFailed('Last action should fail but not. Please check it.')
VMTest:
strategy:
matrix:
os: [self_linux, self_windows]
runs-on: ${{ matrix.os }}
environment: Automation test
steps:
- name: 'Checking out repo code'
uses: actions/checkout@v4
- name: Set Node.js 20.x for GitHub Action
uses: actions/setup-node@v4
with:
node-version: 20.x
- name: 'Validate build'
run: |
npm install
npm run build
- name: Login with system-assigned managed identity without auth-type
id: login_14
continue-on-error: true
uses: ./
- name: Check Last step failed
if: steps.login_14.outcome == 'success'
uses: actions/github-script@v7
with:
script: |
core.setFailed('Last action should fail but not. Please check it.')

184
.github/workflows/azure-login-positive.yml vendored
View File

@@ -12,7 +12,7 @@ jobs:
BasicTest: BasicTest:
strategy: strategy:
matrix: matrix:
os: [ubuntu-latest, windows-latest, macos-latest] os: [ubuntu-latest, windows-latest, macos-latest, self_linux, self_windows]
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
environment: Automation test environment: Automation test
@@ -20,10 +20,13 @@ jobs:
- name: 'Checking out repo code' - name: 'Checking out repo code'
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Set Node.js 24.x for GitHub Action - name: Set Node.js 20.x for GitHub Action
uses: actions/setup-node@v4 uses: actions/setup-node@v4
with: with:
node-version: 24.x node-version: 20.x
- name: 'Validate build'
run: |
npm install npm install
npm run build npm run build
@@ -44,11 +47,13 @@ jobs:
az vm list --output none az vm list --output none
- name: Run Azure PowerShell - name: Run Azure PowerShell
uses: azure/powershell@v2 uses: azure/powershell@v1
with: with:
azPSVersion: "latest" azPSVersion: "latest"
inlineScript: | inlineScript: |
$checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud' $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
$checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
$checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
if(-not $checkResult){ if(-not $checkResult){
throw "Not all checks passed!" throw "Not all checks passed!"
} }
@@ -66,7 +71,7 @@ jobs:
az account show --output none az account show --output none
- name: Run Azure PowerShell again - name: Run Azure PowerShell again
uses: azure/powershell@v2 uses: azure/powershell@v1
with: with:
azPSVersion: "latest" azPSVersion: "latest"
inlineScript: | inlineScript: |
@@ -89,11 +94,13 @@ jobs:
az vm list --output none az vm list --output none
- name: Run Azure PowerShell - name: Run Azure PowerShell
uses: azure/powershell@v2 uses: azure/powershell@v1
with: with:
azPSVersion: "latest" azPSVersion: "latest"
inlineScript: | inlineScript: |
$checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud' $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
$checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
$checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
if(-not $checkResult){ if(-not $checkResult){
throw "Not all checks passed!" throw "Not all checks passed!"
} }
@@ -109,10 +116,10 @@ jobs:
- name: 'Checking out repo code' - name: 'Checking out repo code'
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Set Node.js 24.x for GitHub Action - name: Set Node.js 20.x for GitHub Action
uses: actions/setup-node@v4 uses: actions/setup-node@v4
with: with:
node-version: 24.x node-version: 20.x
- name: 'Validate build' - name: 'Validate build'
run: | run: |
@@ -157,11 +164,13 @@ jobs:
az vm list --output none az vm list --output none
- name: Run Azure PowerShell - name: Run Azure PowerShell
uses: azure/powershell@v2 uses: azure/powershell@v1
with: with:
azPSVersion: "latest" azPSVersion: "latest"
inlineScript: | inlineScript: |
$checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud' $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
$checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
$checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
if(-not $checkResult){ if(-not $checkResult){
throw "Not all checks passed!" throw "Not all checks passed!"
} }
@@ -180,7 +189,7 @@ jobs:
az account show --output none az account show --output none
- name: Run Azure PowerShell again - name: Run Azure PowerShell again
uses: azure/powershell@v2 uses: azure/powershell@v1
with: with:
azPSVersion: "latest" azPSVersion: "latest"
inlineScript: | inlineScript: |
@@ -200,13 +209,13 @@ jobs:
- name: Run Azure Cli - name: Run Azure Cli
shell: pwsh shell: pwsh
run: | run: |
$checkResult = (az account list --output json | ConvertFrom-Json).Count -eq 3 $checkResult = (az account list --output json | ConvertFrom-Json).Count -eq 2
if(-not $checkResult){ if(-not $checkResult){
throw "Not all checks passed!" throw "Not all checks passed!"
} }
- name: Run Azure PowerShell - name: Run Azure PowerShell
uses: azure/powershell@v2 uses: azure/powershell@v1
with: with:
azPSVersion: "latest" azPSVersion: "latest"
inlineScript: | inlineScript: |
@@ -227,7 +236,7 @@ jobs:
az account show --output none az account show --output none
- name: Run Azure PowerShell - name: Run Azure PowerShell
uses: azure/powershell@v2 uses: azure/powershell@v1
with: with:
azPSVersion: "latest" azPSVersion: "latest"
inlineScript: | inlineScript: |
@@ -236,77 +245,118 @@ jobs:
throw "Not all checks passed!" throw "Not all checks passed!"
} }
InDockerTest: VMTest:
runs-on: ubuntu-latest strategy:
container: ubuntu:24.04 matrix:
os: [self_linux, self_windows]
runs-on: ${{ matrix.os }}
environment: Automation test environment: Automation test
steps: steps:
- name: 'Checking out repo code' - name: 'Checking out repo code'
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Set Node.js 24.x for GitHub Action - name: Set Node.js 20.x for GitHub Action
uses: actions/setup-node@v4 uses: actions/setup-node@v4
with: with:
node-version: 24.x node-version: 20.x
- name: Install Azure CLI
run: |
apt-get update
apt-get install -y curl
curl -sL https://aka.ms/InstallAzureCLIDeb | bash
- name: Check Azure CLI Version
run: |
az --version
- name: Install Powershell
run: |
apt-get update
apt-get install -y wget
wget https://ftp.debian.org/debian/pool/main/i/icu/libicu72_72.1-3_amd64.deb
dpkg -i libicu72_72.1-3_amd64.deb
wget https://github.com/PowerShell/PowerShell/releases/download/v7.5.0/powershell_7.5.0-1.deb_amd64.deb
dpkg -i powershell_7.5.0-1.deb_amd64.deb
- name: Check Powershell Version
shell: pwsh
run: |
$PSVersionTable
- name: Install Azure Powershell
shell: pwsh
run: |
Install-Module -Name Az -Repository PSGallery -Force
- name: Check Azure Powershell Version
shell: pwsh
run: |
Get-Module -ListAvailable Az
- name: 'Validate build' - name: 'Validate build'
run: | run: |
npm install npm install
npm run build npm run build
- name: 'Run L0 tests'
run: |
npm run test
- name: Login with individual parameters - name: Login with system-assigned managed identity, no subscription-id
uses: ./ uses: ./
with: with:
client-id: ${{ secrets.SP1_CLIENT_ID }} auth-type: IDENTITY
tenant-id: ${{ secrets.SP1_TENANT_ID }} allow-no-subscriptions: true
subscription-id: ${{ secrets.SP1_SUBSCRIPTION_ID }}
enable-AzPSSession: true enable-AzPSSession: true
- name: Run Azure Cli again - name: Run Azure Cli
run: | run: |
az group list --output none az account show --output none
- name: Run Azure PowerShell again - name: Run Azure PowerShell
uses: azure/powershell@v2 uses: azure/powershell@v1
with: with:
azPSVersion: "latest" azPSVersion: "latest"
inlineScript: | inlineScript: |
$checkResult = Get-AzResourceGroup $checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
if(-not $checkResult){
throw "Not all checks passed!"
}
- name: Login with system-assigned managed identity, with subscription id
uses: ./
with:
auth-type: IDENTITY
subscription-id: ${{ secrets.AZURE_SUBSCRIPTIONID }}
enable-AzPSSession: true
- name: Run Azure Cli
run: |
az account show --output none
az group show --name GitHubAction_CI_RG --output none
az vm list --output none
- name: Run Azure PowerShell
uses: azure/powershell@v1
with:
azPSVersion: "latest"
inlineScript: |
$checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
$checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
$checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
if(-not $checkResult){
throw "Not all checks passed!"
}
- name: Login with tenant-level user-assigned managed identity with allow-no-subscriptions
uses: ./
with:
client-id: ${{ secrets.UMI2_CLIENT_ID }}
allow-no-subscriptions: true
auth-type: IDENTITY
enable-AzPSSession: true
- name: Run Azure Cli
run: |
az account show --output none
- name: Run Azure PowerShell
uses: azure/powershell@v1
with:
azPSVersion: "latest"
inlineScript: |
$checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
if(-not $checkResult){
throw "Not all checks passed!"
}
- name: Login with user-assigned managed identity, subscription-id
uses: ./
with:
client-id: ${{ secrets.UMI1_CLIENT_ID }}
subscription-id: ${{ secrets.UMI1_SUBSCRIPTION_ID }}
auth-type: IDENTITY
enable-AzPSSession: true
- name: Run Azure Cli
run: |
az account show --output none
az group show --name GitHubAction_CI_RG --output none
az vm list --output none
- name: Run Azure PowerShell
uses: azure/powershell@v1
with:
azPSVersion: "latest"
inlineScript: |
$checkResult = (Get-AzContext).Environment.Name -eq 'AzureCloud'
$checkResult = $checkResult -and ((Get-AzResourceGroup -Name GitHubAction_CI_RG).ResourceGroupName -eq 'GitHubAction_CI_RG')
$checkResult = $checkResult -and ((Get-AzVM).Count -gt 0)
if(-not $checkResult){
throw "Not all checks passed!"
}

52
.github/workflows/azure-login-pr-check.yml vendored
View File

@@ -1,12 +1,13 @@
name: pr-check name: pr-check
on: on:
pull_request: pull_request_target:
branches: branches:
- master - master
- 'releases/*' - 'releases/*'
jobs: jobs:
az-login-test: az-login-test:
environment: Automation test
runs-on: windows-latest runs-on: windows-latest
steps: steps:
- name: Checkout from PR branch - name: Checkout from PR branch
@@ -15,11 +16,11 @@ jobs:
repository: ${{ github.event.pull_request.head.repo.full_name }} repository: ${{ github.event.pull_request.head.repo.full_name }}
ref: ${{ github.event.pull_request.head.ref }} ref: ${{ github.event.pull_request.head.ref }}
# Using 24.x version as an example # Using 20.x version as an example
- name: Set Node.js 24.x for GitHub Action - name: Set Node.js 20.x for GitHub Action
uses: actions/setup-node@v4 uses: actions/setup-node@v4
with: with:
node-version: 24.x node-version: 20.x
- name: installing node_modules - name: installing node_modules
run: npm install run: npm install
@@ -27,5 +28,44 @@ jobs:
- name: Build GitHub Action - name: Build GitHub Action
run: npm run build run: npm run build
- name: Run mock test - name: 'Az CLI login with subscription'
run: npm run test uses: ./
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- run: |
az account show --output none
az vm list --output none
- name: 'Az CLI login without subscription'
uses: ./
with:
creds: ${{ secrets.AZURE_CREDENTIALS_NO_SUB }}
allow-no-subscriptions: true
- run: |
az account show --output none
# az vm list --output none
- name: 'Azure PowerShell login with subscription'
uses: ./
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
enable-AzPSSession: true
- uses: azure/powershell@v1
with:
inlineScript: "(Get-AzContext).Environment.Name"
azPSVersion: "latest"
# - name: 'Azure PowerShell login without subscription'
# uses: ./
# with:
# creds: ${{secrets.AZURE_CREDENTIALS_NO_SUB}}
# enable-AzPSSession: true
# allow-no-subscriptions: true
# - uses: azure/powershell@v1
# with:
# inlineScript: "Get-AzContext"
# azPSVersion: "latest"

4
.github/workflows/ci.yml vendored
View File

@@ -20,10 +20,10 @@ jobs:
- name: 'Checking out repo code' - name: 'Checking out repo code'
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Set Node.js 24.x for GitHub Action - name: Set Node.js 20.x for GitHub Action
uses: actions/setup-node@v4 uses: actions/setup-node@v4
with: with:
node-version: 24.x node-version: 20.x
- name: 'Validate build' - name: 'Validate build'
run: | run: |

2
.github/workflows/markdownlint.yml vendored
View File

@@ -11,7 +11,7 @@ jobs:
- name: Use Node.js - name: Use Node.js
uses: actions/setup-node@v4 uses: actions/setup-node@v4
with: with:
node-version: 24.x node-version: 20.x
- name: Run Markdownlint - name: Run Markdownlint
run: | run: |
npm i -g markdownlint-cli2 npm i -g markdownlint-cli2

1
CODE_OF_CONDUCT.md
View File

@@ -7,4 +7,3 @@ Resources:
- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/) - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns
- Employees can reach out at [aka.ms/opensource/moderation-support](https://aka.ms/opensource/moderation-support)

190
README.md
View File

@@ -19,7 +19,6 @@
- [Login to Azure US Government cloud](#login-to-azure-us-government-cloud) - [Login to Azure US Government cloud](#login-to-azure-us-government-cloud)
- [Login to Azure Stack Hub](#login-to-azure-stack-hub) - [Login to Azure Stack Hub](#login-to-azure-stack-hub)
- [Login without subscription](#login-without-subscription) - [Login without subscription](#login-without-subscription)
- [Enable/Disable the cleanup steps](#enabledisable-the-cleanup-steps)
- [Security hardening](#security-hardening) - [Security hardening](#security-hardening)
- [Azure CLI dependency](#azure-cli-dependency) - [Azure CLI dependency](#azure-cli-dependency)
- [Reference](#reference) - [Reference](#reference)
@@ -57,7 +56,7 @@ Azure Login Action supports different ways of authentication with Azure.
|tenant-id|false|UUID||the login tenant id| |tenant-id|false|UUID||the login tenant id|
|creds|false|string||a json string for login with an Azure service principal| |creds|false|string||a json string for login with an Azure service principal|
|enable-AzPSSession|false|boolean|false|if Azure PowerShell login is enabled| |enable-AzPSSession|false|boolean|false|if Azure PowerShell login is enabled|
|environment|false|string|azurecloud|the Azure Cloud environment. For cloud environments other than the public cloud, the `audience` will also need to be updated.| |environment|false|string|azurecloud|the Azure Cloud environment|
|allow-no-subscriptions|false|boolean|false|if login without subscription is allowed| |allow-no-subscriptions|false|boolean|false|if login without subscription is allowed|
|audience|false|string|api://AzureADTokenExchange|the audience to get the JWT ID token from GitHub OIDC provider| |audience|false|string|api://AzureADTokenExchange|the audience to get the JWT ID token from GitHub OIDC provider|
|auth-type|false|string|SERVICE_PRINCIPAL|the auth type| |auth-type|false|string|SERVICE_PRINCIPAL|the auth type|
@@ -127,8 +126,6 @@ By default, Azure Login Action connects to the Azure Public Cloud (`AzureCloud`)
To login to one of the Azure Government clouds or Azure Stack, set `environment` to one of the supported values `AzureUSGovernment` or `AzureChinaCloud` or `AzureGermanCloud` or `AzureStack`. To login to one of the Azure Government clouds or Azure Stack, set `environment` to one of the supported values `AzureUSGovernment` or `AzureChinaCloud` or `AzureGermanCloud` or `AzureStack`.
The default [`audience`](#audience) for each of these clouds is different and will also need to be set if using anything other than the public environment.
Refer to [Login to Azure US Government cloud](#login-to-azure-us-government-cloud) for its usage. Refer to [Login to Azure US Government cloud](#login-to-azure-us-government-cloud) for its usage.
### `allow-no-subscriptions` ### `allow-no-subscriptions`
@@ -156,7 +153,7 @@ Refer to [Login With System-assigned Managed Identity](#login-with-system-assign
> - Ensure the CLI version is 2.30 or above to support login with OIDC. > - Ensure the CLI version is 2.30 or above to support login with OIDC.
> - By default, Azure access tokens issued during OIDC based login could have limited validity. Azure access token issued by Service Principal is expected to have an expiration of 1 hour by default. And with Managed Identities, it would be 24 hours. This expiration time is further configurable in Azure. Refer to [access-token lifetime](https://learn.microsoft.com/azure/active-directory/develop/access-tokens#access-token-lifetime) for more details. > - By default, Azure access tokens issued during OIDC based login could have limited validity. Azure access token issued by Service Principal is expected to have an expiration of 1 hour by default. And with Managed Identities, it would be 24 hours. This expiration time is further configurable in Azure. Refer to [access-token lifetime](https://learn.microsoft.com/azure/active-directory/develop/access-tokens#access-token-lifetime) for more details.
Before you use Azure Login Action with OIDC, you need to configure a federated identity credential on a service principal or a managed identity. Before you use Azure Login Action with OIDC, you need to configure a federated identity credential on an service principal or a managed identity.
- Prepare a service principal for Login with OIDC - Prepare a service principal for Login with OIDC
- [Create a service principal and assign a role to it](https://learn.microsoft.com/entra/identity-platform/howto-create-service-principal-portal) - [Create a service principal and assign a role to it](https://learn.microsoft.com/entra/identity-platform/howto-create-service-principal-portal)
@@ -186,9 +183,9 @@ name: Run Azure Login with OIDC
on: [push] on: [push]
permissions: permissions:
id-token: write id-token: write
contents: read contents: read
jobs: jobs:
build-and-deploy: build-and-deploy:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
@@ -198,9 +195,9 @@ jobs:
client-id: ${{ secrets.AZURE_CLIENT_ID }} client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Azure CLI script - name: Azure CLI script
uses: azure/cli@v2 uses: azure/CLI@v1
with: with:
azcliversion: latest azcliversion: latest
inlineScript: | inlineScript: |
@@ -216,9 +213,9 @@ name: Run Azure Login with OIDC
on: [push] on: [push]
permissions: permissions:
id-token: write id-token: write
contents: read contents: read
jobs: jobs:
build-and-deploy: build-and-deploy:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
@@ -229,16 +226,16 @@ jobs:
tenant-id: ${{ secrets.AZURE_TENANT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: true enable-AzPSSession: true
- name: Azure CLI script - name: Azure CLI script
uses: azure/cli@v2 uses: azure/CLI@v1
with: with:
azcliversion: latest azcliversion: latest
inlineScript: | inlineScript: |
az account show az account show
- name: Azure PowerShell script - name: Azure PowerShell script
uses: azure/powershell@v2 uses: azure/powershell@v1
with: with:
azPSVersion: "latest" azPSVersion: "latest"
inlineScript: | inlineScript: |
@@ -284,17 +281,18 @@ jobs:
build-and-deploy: build-and-deploy:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: azure/login@v2 - uses: azure/login@v2
with: with:
creds: ${{ secrets.AZURE_CREDENTIALS }} creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Azure CLI script - name: Azure CLI script
uses: azure/cli@v2 uses: azure/CLI@v1
with: with:
azcliversion: latest azcliversion: latest
inlineScript: | inlineScript: |
az account show az account show
``` ```
- **The workflow sample to run both Azure CLI and Azure PowerShell** - **The workflow sample to run both Azure CLI and Azure PowerShell**
@@ -311,21 +309,21 @@ jobs:
build-and-deploy: build-and-deploy:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: azure/login@v2 - uses: azure/login@v2
with: with:
creds: ${{ secrets.AZURE_CREDENTIALS }} creds: ${{ secrets.AZURE_CREDENTIALS }}
enable-AzPSSession: true enable-AzPSSession: true
- name: Azure CLI script - name: Azure CLI script
uses: azure/cli@v2 uses: azure/CLI@v1
with: with:
azcliversion: latest azcliversion: latest
inlineScript: | inlineScript: |
az account show az account show
- name: Azure PowerShell script - name: Azure PowerShell script
uses: azure/powershell@v2 uses: azure/powershell@v1
with: with:
azPSVersion: "latest" azPSVersion: "latest"
inlineScript: | inlineScript: |
@@ -374,29 +372,29 @@ Now you can try the workflow to login with system-assigned managed identity.
name: Run Azure Login with System-assigned Managed Identity name: Run Azure Login with System-assigned Managed Identity
on: [push] on: [push]
jobs: jobs:
build-and-deploy: build-and-deploy:
runs-on: self-hosted runs-on: self-hosted
steps: steps:
- name: Azure login - name: Azure login
uses: azure/login@v2 uses: azure/login@v2
with: with:
auth-type: IDENTITY auth-type: IDENTITY
tenant-id: ${{ secrets.AZURE_TENANT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: true enable-AzPSSession: true
# Azure CLI Action only supports linux self-hosted runners for now. # Azure CLI Action only supports linux self-hosted runners for now.
# If you want to execute the Azure CLI script on a windows self-hosted runner, you can execute it directly in `run`. # If you want to execute the Azure CLI script on a windows self-hosted runner, you can execute it directly in `run`.
- name: Azure CLI script - name: Azure CLI script
uses: azure/cli@v2 uses: azure/CLI@v1
with: with:
azcliversion: latest azcliversion: latest
inlineScript: | inlineScript: |
az account show az account show
- name: Azure PowerShell script - name: Azure PowerShell script
uses: azure/powershell@v2 uses: azure/powershell@v1
with: with:
azPSVersion: "latest" azPSVersion: "latest"
inlineScript: | inlineScript: |
@@ -440,7 +438,7 @@ Now you can try the workflow to login with user-assigned managed identity.
name: Run Azure Login with User-assigned Managed Identity name: Run Azure Login with User-assigned Managed Identity
on: [push] on: [push]
jobs: jobs:
build-and-deploy: build-and-deploy:
runs-on: self-hosted runs-on: self-hosted
steps: steps:
@@ -448,22 +446,22 @@ jobs:
uses: azure/login@v2 uses: azure/login@v2
with: with:
auth-type: IDENTITY auth-type: IDENTITY
client-id: ${{ secrets.AZURE_CLIENT_ID }} client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: true enable-AzPSSession: true
# Azure CLI Action only supports linux self-hosted runners for now. # Azure CLI Action only supports linux self-hosted runners for now.
# If you want to execute the Azure CLI script on a windows self-hosted runner, you can execute it directly in `run`. # If you want to execute the Azure CLI script on a windows self-hosted runner, you can execute it directly in `run`.
- name: Azure CLI script - name: Azure CLI script
uses: azure/cli@v2 uses: azure/CLI@v1
with: with:
azcliversion: latest azcliversion: latest
inlineScript: | inlineScript: |
az account show az account show
- name: Azure PowerShell script - name: Azure PowerShell script
uses: azure/powershell@v2 uses: azure/powershell@v1
with: with:
azPSVersion: "latest" azPSVersion: "latest"
inlineScript: | inlineScript: |
@@ -484,12 +482,13 @@ jobs:
build-and-deploy: build-and-deploy:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: azure/login@v2 - uses: azure/login@v2
with: with:
creds: ${{ secrets.AZURE_CREDENTIALS }} creds: ${{ secrets.AZURE_CREDENTIALS }}
environment: 'AzureUSGovernment' environment: 'AzureUSGovernment'
enable-AzPSSession: true enable-AzPSSession: true
``` ```
### Login to Azure Stack Hub ### Login to Azure Stack Hub
@@ -506,12 +505,13 @@ jobs:
build-and-deploy: build-and-deploy:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: azure/login@v2 - uses: azure/login@v2
with: with:
creds: ${{ secrets.AZURE_CREDENTIALS }} creds: ${{ secrets.AZURE_CREDENTIALS }}
environment: 'AzureStack' environment: 'AzureStack'
enable-AzPSSession: true enable-AzPSSession: true
``` ```
Refer to the [Azure Stack Hub Login Action Tutorial](https://learn.microsoft.com/azure-stack/user/ci-cd-github-action-login-cli) for more detailed instructions. Refer to the [Azure Stack Hub Login Action Tutorial](https://learn.microsoft.com/azure-stack/user/ci-cd-github-action-login-cli) for more detailed instructions.
@@ -542,130 +542,20 @@ jobs:
enable-AzPSSession: true enable-AzPSSession: true
- name: Azure CLI script - name: Azure CLI script
uses: azure/cli@v2 uses: azure/CLI@v1
with: with:
azcliversion: latest azcliversion: latest
inlineScript: | inlineScript: |
az account show az account show
- name: Run Azure PowerShell - name: Run Azure PowerShell
uses: azure/powershell@v2 uses: azure/powershell@v1
with: with:
azPSVersion: "latest" azPSVersion: "latest"
inlineScript: | inlineScript: |
Get-AzContext Get-AzContext
``` ```
### Enable/Disable the cleanup steps
In Azure Login Action, "cleanup" means cleaning up the login context. For security reasons, we recommend users run cleanup every time. But in some scenarios, users need flexible control over cleanup.
Referring to [`runs` for JavaScript actions](https://docs.github.com/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#runs-for-javascript-actions), there are 3 steps in an action: `pre:`, `main:` and `post:`. Azure Login Action only implement 2 steps: `main:` and `post:`.
There are 2 "cleanup" steps in Azure Login Action:
- cleanup in `main:`
- It's **disabled** by default.
- Users can enable it by setting an env variable `AZURE_LOGIN_PRE_CLEANUP` to `true`.
- cleanup in `post:`
- It's **enabled** by default.
- Users can disable it by setting an env variable `AZURE_LOGIN_POST_CLEANUP` to `false`.
Azure Login Action use env variables to enable or disable cleanup steps. In GitHub Actions, there are three valid scopes for env variables.
- [env](https://docs.github.com/actions/writing-workflows/workflow-syntax-for-github-actions#env)
- valid for all jobs in this workflow.
- [jobs.<job_id>.env](https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idenv)
- valid for all the steps in the job.
- [jobs.<job_id>.steps[*].env](https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsenv)
- only valid for the step in a job.
We set `jobs.<job_id>.steps[*].env` for example. Users can set `env` or `jobs.<job_id>.env` for a wider scope.
```yaml
# File: .github/workflows/workflow.yml
on: [push]
name: Cleanup examples for Multiple Azure Login
jobs:
deploy:
runs-on: ubuntu-latest
steps:
# enable cleanup for the 1st Azure Login
- name: Azure Login
uses: azure/login@v2
env:
AZURE_LOGIN_PRE_CLEANUP: true
AZURE_LOGIN_POST_CLEANUP: true
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: true
# run some actions
# disable cleanup for all other Azure Login
- name: Azure Login 2
uses: azure/login@v2
env:
AZURE_LOGIN_PRE_CLEANUP: false
AZURE_LOGIN_POST_CLEANUP: false
with:
client-id: ${{ secrets.AZURE_CLIENT_ID_2 }}
tenant-id: ${{ secrets.AZURE_TENANT_ID_2 }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_2 }}
enable-AzPSSession: true
# run other actions
# disable cleanup for all other Azure Login
- name: Azure Login 3
uses: azure/login@v2
env:
AZURE_LOGIN_PRE_CLEANUP: false
AZURE_LOGIN_POST_CLEANUP: false
with:
client-id: ${{ secrets.AZURE_CLIENT_ID_3 }}
tenant-id: ${{ secrets.AZURE_TENANT_ID_3 }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID_3 }}
enable-AzPSSession: true
# run other actions
```
```yaml
# File: .github/workflows/workflow.yml
on: [push]
name: Disable cleanup for GitHub Hosted Runners
jobs:
deploy:
runs-on: [ubuntu-latest, self-hosted]
steps:
- name: Azure Login
uses: azure/login@v2
env:
AZURE_LOGIN_PRE_CLEANUP: ${{ startsWith(runner.name, 'GitHub Actions') }}
AZURE_LOGIN_POST_CLEANUP: ${{ startsWith(runner.name, 'GitHub Actions') }}
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
enable-AzPSSession: true
# run some actions
```
## Security hardening ## Security hardening
> [!WARNING] > [!WARNING]
@@ -679,7 +569,7 @@ Internally in this action, we use azure CLI and execute `az login` with the cred
### GitHub Action ### GitHub Action
[GitHub Actions](https://docs.github.com/actions) gives you the flexibility to build an automated software development lifecycle workflow. [GitHub Actions](https://help.github.com/articles/about-github-actions) gives you the flexibility to build an automated software development lifecycle workflow.
### GitHub Actions for deploying to Azure ### GitHub Actions for deploying to Azure

2
__tests__/LoginConfig.test.ts
View File

@@ -245,7 +245,7 @@ describe("LoginConfig Test", () => {
let loginConfig = new LoginConfig(); let loginConfig = new LoginConfig();
await loginConfig.initialize(); await loginConfig.initialize();
testValidateWithErrorMessage(loginConfig, "Ensure 'subscription-id' is supplied or 'allow-no-subscriptions' is 'true'."); testValidateWithErrorMessage(loginConfig, "Ensure subscriptionId is supplied.");
}); });
test('validate without subscriptionId and allowNoSubscriptionsLogin=true', async () => { test('validate without subscriptionId and allowNoSubscriptionsLogin=true', async () => {

14
__tests__/PowerShell/AzPSScriptBuilder.test.ts
View File

@@ -40,7 +40,7 @@ describe("Getting AzLogin PS script", () => {
let loginConfig = new LoginConfig(); let loginConfig = new LoginConfig();
loginConfig.initialize(); loginConfig.initialize();
return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => { return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
expect(loginScript.includes("$psLoginSecrets = ConvertTo-SecureString 'client-secret' -AsPlainText -Force; $psLoginCredential = New-Object System.Management.Automation.PSCredential('client-id', $psLoginSecrets); Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -Credential $psLoginCredential -InformationAction Ignore | out-null;")).toBeTruthy(); expect(loginScript.includes("$psLoginSecrets = ConvertTo-SecureString 'client-secret' -AsPlainText -Force; $psLoginCredential = New-Object System.Management.Automation.PSCredential('client-id', $psLoginSecrets); Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -Credential $psLoginCredential | out-null;")).toBeTruthy();
expect(loginMethod).toBe('service principal with secret'); expect(loginMethod).toBe('service principal with secret');
}); });
}); });
@@ -61,7 +61,7 @@ describe("Getting AzLogin PS script", () => {
let loginConfig = new LoginConfig(); let loginConfig = new LoginConfig();
loginConfig.initialize(); loginConfig.initialize();
return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => { return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
expect(loginScript.includes("$psLoginSecrets = ConvertTo-SecureString 'client-se''cret' -AsPlainText -Force; $psLoginCredential = New-Object System.Management.Automation.PSCredential('client-id', $psLoginSecrets); Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -Credential $psLoginCredential -InformationAction Ignore | out-null;")).toBeTruthy(); expect(loginScript.includes("$psLoginSecrets = ConvertTo-SecureString 'client-se''cret' -AsPlainText -Force; $psLoginCredential = New-Object System.Management.Automation.PSCredential('client-id', $psLoginSecrets); Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -Credential $psLoginCredential | out-null;")).toBeTruthy();
expect(loginMethod).toBe('service principal with secret'); expect(loginMethod).toBe('service principal with secret');
}); });
}); });
@@ -82,7 +82,7 @@ describe("Getting AzLogin PS script", () => {
let loginConfig = new LoginConfig(); let loginConfig = new LoginConfig();
loginConfig.initialize(); loginConfig.initialize();
return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => { return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
expect(loginScript.includes("$psLoginSecrets = ConvertTo-SecureString 'client-secret' -AsPlainText -Force; $psLoginCredential = New-Object System.Management.Automation.PSCredential('client-id', $psLoginSecrets); Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -Credential $psLoginCredential -InformationAction Ignore | out-null;")).toBeTruthy(); expect(loginScript.includes("$psLoginSecrets = ConvertTo-SecureString 'client-secret' -AsPlainText -Force; $psLoginCredential = New-Object System.Management.Automation.PSCredential('client-id', $psLoginSecrets); Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -Credential $psLoginCredential | out-null;")).toBeTruthy();
expect(loginMethod).toBe('service principal with secret'); expect(loginMethod).toBe('service principal with secret');
}); });
}); });
@@ -100,7 +100,7 @@ describe("Getting AzLogin PS script", () => {
loginConfig.initialize(); loginConfig.initialize();
jest.spyOn(loginConfig, 'getFederatedToken').mockImplementation(async () => {loginConfig.federatedToken = "fake-token";}); jest.spyOn(loginConfig, 'getFederatedToken').mockImplementation(async () => {loginConfig.federatedToken = "fake-token";});
return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => { return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
expect(loginScript.includes("Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -ApplicationId 'client-id' -FederatedToken 'fake-token' -InformationAction Ignore | out-null;")).toBeTruthy(); expect(loginScript.includes("Connect-AzAccount -ServicePrincipal -Environment 'azurecloud' -Tenant 'tenant-id' -Subscription 'subscription-id' -ApplicationId 'client-id' -FederatedToken 'fake-token' | out-null;")).toBeTruthy();
expect(loginMethod).toBe('OIDC'); expect(loginMethod).toBe('OIDC');
}); });
}); });
@@ -115,7 +115,7 @@ describe("Getting AzLogin PS script", () => {
let loginConfig = new LoginConfig(); let loginConfig = new LoginConfig();
loginConfig.initialize(); loginConfig.initialize();
return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => { return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
expect(loginScript.includes("Connect-AzAccount -Identity -Environment 'azurecloud' -Subscription 'subscription-id' -InformationAction Ignore | out-null;")).toBeTruthy(); expect(loginScript.includes("Connect-AzAccount -Identity -Environment 'azurecloud' -Subscription 'subscription-id' | out-null;")).toBeTruthy();
expect(loginMethod).toBe('system-assigned managed identity'); expect(loginMethod).toBe('system-assigned managed identity');
}); });
}); });
@@ -130,7 +130,7 @@ describe("Getting AzLogin PS script", () => {
let loginConfig = new LoginConfig(); let loginConfig = new LoginConfig();
loginConfig.initialize(); loginConfig.initialize();
return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => { return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
expect(loginScript.includes("Connect-AzAccount -Identity -Environment 'azurecloud' -InformationAction Ignore | out-null;")).toBeTruthy(); expect(loginScript.includes("Connect-AzAccount -Identity -Environment 'azurecloud' | out-null;")).toBeTruthy();
expect(loginMethod).toBe('system-assigned managed identity'); expect(loginMethod).toBe('system-assigned managed identity');
}); });
}); });
@@ -145,7 +145,7 @@ describe("Getting AzLogin PS script", () => {
let loginConfig = new LoginConfig(); let loginConfig = new LoginConfig();
loginConfig.initialize(); loginConfig.initialize();
return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => { return AzPSSCriptBuilder.getAzPSLoginScript(loginConfig).then(([loginMethod, loginScript]) => {
expect(loginScript.includes("Connect-AzAccount -Identity -Environment 'azurecloud' -AccountId 'client-id' -InformationAction Ignore | out-null;")).toBeTruthy(); expect(loginScript.includes("Connect-AzAccount -Identity -Environment 'azurecloud' -AccountId 'client-id' | out-null;")).toBeTruthy();
expect(loginMethod).toBe('user-assigned managed identity'); expect(loginMethod).toBe('user-assigned managed identity');
}); });
}); });

4
action.yml
View File

@@ -38,7 +38,7 @@ branding:
icon: 'login.svg' icon: 'login.svg'
color: 'blue' color: 'blue'
runs: runs:
using: 'node24' using: 'node20'
pre: 'lib/cleanup/index.js'
main: 'lib/main/index.js' main: 'lib/main/index.js'
post-if: (!env.AZURE_LOGIN_POST_CLEANUP || env.AZURE_LOGIN_POST_CLEANUP != 'false')
post: 'lib/cleanup/index.js' post: 'lib/cleanup/index.js'

146
lib/Cli/AzureCliLogin.js
View File

@@ -1,146 +0,0 @@
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.AzureCliLogin = void 0;
const exec = __importStar(require("@actions/exec"));
const core = __importStar(require("@actions/core"));
const io = __importStar(require("@actions/io"));
class AzureCliLogin {
constructor(loginConfig) {
this.loginConfig = loginConfig;
}
login() {
return __awaiter(this, void 0, void 0, function* () {
this.azPath = yield io.which("az", true);
core.debug(`az cli path: ${this.azPath}`);
let output = "";
const execOptions = {
listeners: {
stdout: (data) => {
output += data.toString();
}
}
};
yield this.executeAzCliCommand("--version", true, execOptions);
core.debug(`az cli version used:\n${output}`);
this.setAzurestackEnvIfNecessary();
yield this.executeAzCliCommand(`cloud set -n "${this.loginConfig.environment}"`, false);
console.log(`Done setting cloud: "${this.loginConfig.environment}"`);
// Attempting Az cli login
var commonArgs = ["--service-principal",
"-u", this.loginConfig.servicePrincipalId,
"--tenant", this.loginConfig.tenantId
];
if (this.loginConfig.allowNoSubscriptionsLogin) {
commonArgs = commonArgs.concat("--allow-no-subscriptions");
}
if (this.loginConfig.enableOIDC) {
commonArgs = commonArgs.concat("--federated-token", this.loginConfig.federatedToken);
}
else {
console.log("Note: Azure/login action also supports OIDC login mechanism. Refer https://github.com/azure/login#configure-a-service-principal-with-a-federated-credential-to-use-oidc-based-authentication for more details.");
commonArgs = commonArgs.concat(`--password=${this.loginConfig.servicePrincipalKey}`);
}
const loginOptions = defaultExecOptions();
yield this.executeAzCliCommand(`login`, true, loginOptions, commonArgs);
if (!this.loginConfig.allowNoSubscriptionsLogin) {
var args = [
"--subscription",
this.loginConfig.subscriptionId
];
yield this.executeAzCliCommand(`account set`, true, loginOptions, args);
}
});
}
setAzurestackEnvIfNecessary() {
return __awaiter(this, void 0, void 0, function* () {
if (this.loginConfig.environment != "azurestack") {
return;
}
if (!this.loginConfig.resourceManagerEndpointUrl) {
throw new Error("resourceManagerEndpointUrl is a required parameter when environment is defined.");
}
console.log(`Unregistering cloud: "${this.loginConfig.environment}" first if it exists`);
try {
yield this.executeAzCliCommand(`cloud set -n AzureCloud`, true);
yield this.executeAzCliCommand(`cloud unregister -n "${this.loginConfig.environment}"`, false);
}
catch (error) {
console.log(`Ignore cloud not registered error: "${error}"`);
}
console.log(`Registering cloud: "${this.loginConfig.environment}" with ARM endpoint: "${this.loginConfig.resourceManagerEndpointUrl}"`);
try {
let baseUri = this.loginConfig.resourceManagerEndpointUrl;
if (baseUri.endsWith('/')) {
baseUri = baseUri.substring(0, baseUri.length - 1); // need to remove trailing / from resourceManagerEndpointUrl to correctly derive suffixes below
}
let suffixKeyvault = ".vault" + baseUri.substring(baseUri.indexOf('.')); // keyvault suffix starts with .
let suffixStorage = baseUri.substring(baseUri.indexOf('.') + 1); // storage suffix starts without .
let profileVersion = "2019-03-01-hybrid";
yield this.executeAzCliCommand(`cloud register -n "${this.loginConfig.environment}" --endpoint-resource-manager "${this.loginConfig.resourceManagerEndpointUrl}" --suffix-keyvault-dns "${suffixKeyvault}" --suffix-storage-endpoint "${suffixStorage}" --profile "${profileVersion}"`, false);
}
catch (error) {
core.error(`Error while trying to register cloud "${this.loginConfig.environment}": "${error}"`);
}
console.log(`Done registering cloud: "${this.loginConfig.environment}"`);
});
}
executeAzCliCommand(command, silent, execOptions = {}, args = []) {
return __awaiter(this, void 0, void 0, function* () {
execOptions.silent = !!silent;
yield exec.exec(`"${this.azPath}" ${command}`, args, execOptions);
});
}
}
exports.AzureCliLogin = AzureCliLogin;
function defaultExecOptions() {
return {
silent: true,
listeners: {
stderr: (data) => {
let error = data.toString();
let startsWithWarning = error.toLowerCase().startsWith('warning');
let startsWithError = error.toLowerCase().startsWith('error');
// printing ERROR
if (error && error.trim().length !== 0 && !startsWithWarning) {
if (startsWithError) {
//removing the keyword 'ERROR' to avoid duplicates while throwing error
error = error.slice(5);
}
core.setFailed(error);
}
}
}
};
}

14
lib/PowerShell/Constants.js
View File

@@ -1,14 +0,0 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
class Constants {
}
exports.default = Constants;
Constants.prefix = "az_";
Constants.moduleName = "Az.Accounts";
Constants.versionPattern = /[0-9]+\.[0-9]+\.[0-9]+/;
Constants.AzureCloud = "AzureCloud";
Constants.Subscription = "Subscription";
Constants.ServicePrincipal = "ServicePrincipal";
Constants.Success = "Success";
Constants.Error = "Error";
Constants.AzVersion = "AzVersion";

0
lib/PowerShell/IAzurePowerShellSession.js
View File

97
lib/PowerShell/ServicePrincipalLogin.js
View File

@@ -1,97 +0,0 @@
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.ServicePrincipalLogin = void 0;
const core = __importStar(require("@actions/core"));
const Utils_1 = __importDefault(require("./Utilities/Utils"));
const PowerShellToolRunner_1 = __importDefault(require("./Utilities/PowerShellToolRunner"));
const ScriptBuilder_1 = __importDefault(require("./Utilities/ScriptBuilder"));
const Constants_1 = __importDefault(require("./Constants"));
class ServicePrincipalLogin {
constructor(loginConfig) {
this.loginConfig = loginConfig;
}
initialize() {
return __awaiter(this, void 0, void 0, function* () {
Utils_1.default.setPSModulePath();
const azLatestVersion = yield Utils_1.default.getLatestModule(Constants_1.default.moduleName);
core.debug(`Az Module version used: ${azLatestVersion}`);
Utils_1.default.setPSModulePath(`${Constants_1.default.prefix}${azLatestVersion}`);
});
}
login() {
return __awaiter(this, void 0, void 0, function* () {
let output = "";
let commandStdErr = false;
const options = {
listeners: {
stdout: (data) => {
output += data.toString();
},
stderr: (data) => {
let error = data.toString();
if (error && error.trim().length !== 0) {
commandStdErr = true;
core.error(error);
}
}
}
};
const args = {
servicePrincipalId: this.loginConfig.servicePrincipalId,
servicePrincipalKey: this.loginConfig.servicePrincipalKey,
federatedToken: this.loginConfig.federatedToken,
subscriptionId: this.loginConfig.subscriptionId,
environment: this.loginConfig.environment,
scopeLevel: ServicePrincipalLogin.scopeLevel,
allowNoSubscriptionsLogin: this.loginConfig.allowNoSubscriptionsLogin,
resourceManagerEndpointUrl: this.loginConfig.resourceManagerEndpointUrl
};
const script = new ScriptBuilder_1.default().getAzPSLoginScript(ServicePrincipalLogin.scheme, this.loginConfig.tenantId, args);
yield PowerShellToolRunner_1.default.init();
yield PowerShellToolRunner_1.default.executePowerShellScriptBlock(script, options);
const result = JSON.parse(output.trim());
if (!(Constants_1.default.Success in result)) {
throw new Error(`Azure PowerShell login failed with error: ${result[Constants_1.default.Error]}`);
}
console.log(`Azure PowerShell session successfully initialized`);
});
}
}
exports.ServicePrincipalLogin = ServicePrincipalLogin;
ServicePrincipalLogin.scopeLevel = Constants_1.default.Subscription;
ServicePrincipalLogin.scheme = Constants_1.default.ServicePrincipal;

52
lib/PowerShell/Utilities/PowerShellToolRunner.js
View File

@@ -1,52 +0,0 @@
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
Object.defineProperty(exports, "__esModule", { value: true });
const io = __importStar(require("@actions/io"));
const exec = __importStar(require("@actions/exec"));
class PowerShellToolRunner {
static init() {
return __awaiter(this, void 0, void 0, function* () {
if (!PowerShellToolRunner.psPath) {
PowerShellToolRunner.psPath = yield io.which("pwsh", true);
}
});
}
static executePowerShellScriptBlock(scriptBlock, options = {}) {
return __awaiter(this, void 0, void 0, function* () {
//Options for error handling
yield exec.exec(`"${PowerShellToolRunner.psPath}" -Command`, [scriptBlock], options);
});
}
}
exports.default = PowerShellToolRunner;

89
lib/PowerShell/Utilities/ScriptBuilder.js
View File

@@ -1,89 +0,0 @@
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
const core = __importStar(require("@actions/core"));
const Constants_1 = __importDefault(require("../Constants"));
class ScriptBuilder {
constructor() {
this.script = "";
}
getAzPSLoginScript(scheme, tenantId, args) {
let command = `Clear-AzContext -Scope Process;
Clear-AzContext -Scope CurrentUser -Force -ErrorAction SilentlyContinue;`;
if (scheme === Constants_1.default.ServicePrincipal) {
if (args.environment.toLowerCase() == "azurestack") {
command += `Add-AzEnvironment -Name ${args.environment} -ARMEndpoint ${args.resourceManagerEndpointUrl} | out-null;`;
}
// Separate command script for OIDC and non-OIDC
if (!!args.federatedToken) {
command += `Connect-AzAccount -ServicePrincipal -ApplicationId '${args.servicePrincipalId}' -Tenant '${tenantId}' -FederatedToken '${args.federatedToken}' \
-Environment '${args.environment}' | out-null;`;
}
else {
command += `Connect-AzAccount -ServicePrincipal -Tenant '${tenantId}' -Credential \
(New-Object System.Management.Automation.PSCredential('${args.servicePrincipalId}',(ConvertTo-SecureString '${args.servicePrincipalKey.replace("'", "''")}' -AsPlainText -Force))) \
-Environment '${args.environment}' | out-null;`;
}
// command to set the subscription
if (args.scopeLevel === Constants_1.default.Subscription && !args.allowNoSubscriptionsLogin) {
command += `Set-AzContext -SubscriptionId '${args.subscriptionId}' -TenantId '${tenantId}' | out-null;`;
}
}
this.script += `try {
$ErrorActionPreference = "Stop"
$WarningPreference = "SilentlyContinue"
$output = @{}
${command}
$output['${Constants_1.default.Success}'] = "true"
}
catch {
$output['${Constants_1.default.Error}'] = $_.exception.Message
}
return ConvertTo-Json $output`;
core.debug(`Azure PowerShell Login Script: ${this.script}`);
return this.script;
}
getLatestModuleScript(moduleName) {
const command = `Get-Module -Name ${moduleName} -ListAvailable | Sort-Object Version -Descending | Select-Object -First 1`;
this.script += `try {
$ErrorActionPreference = "Stop"
$WarningPreference = "SilentlyContinue"
$output = @{}
$data = ${command}
$output['${Constants_1.default.AzVersion}'] = $data.Version.ToString()
$output['${Constants_1.default.Success}'] = "true"
}
catch {
$output['${Constants_1.default.Error}'] = $_.exception.Message
}
return ConvertTo-Json $output`;
core.debug(`GetLatestModuleScript: ${this.script}`);
return this.script;
}
}
exports.default = ScriptBuilder;

96
lib/PowerShell/Utilities/Utils.js
View File

@@ -1,96 +0,0 @@
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
const os = __importStar(require("os"));
const Constants_1 = __importDefault(require("../Constants"));
const ScriptBuilder_1 = __importDefault(require("./ScriptBuilder"));
const PowerShellToolRunner_1 = __importDefault(require("./PowerShellToolRunner"));
class Utils {
/**
* Add the folder path where Az modules are present to PSModulePath based on runner
* @param azPSVersion
* If azPSVersion is empty, folder path in which all Az modules are present are set
* If azPSVersion is not empty, folder path of exact Az module version is set
*/
static setPSModulePath(azPSVersion = "") {
let modulePath = "";
const runner = process.env.RUNNER_OS || os.type();
switch (runner.toLowerCase()) {
case "linux":
modulePath = `/usr/share/${azPSVersion}:`;
break;
case "windows":
case "windows_nt":
modulePath = `C:\\Modules\\${azPSVersion};`;
break;
case "macos":
case "darwin":
throw new Error(`OS not supported`);
default:
throw new Error(`Unknown os: ${runner.toLowerCase()}`);
}
process.env.PSModulePath = `${modulePath}${process.env.PSModulePath}`;
}
static getLatestModule(moduleName) {
return __awaiter(this, void 0, void 0, function* () {
let output = "";
const options = {
listeners: {
stdout: (data) => {
output += data.toString();
}
}
};
yield PowerShellToolRunner_1.default.init();
yield PowerShellToolRunner_1.default.executePowerShellScriptBlock(new ScriptBuilder_1.default()
.getLatestModuleScript(moduleName), options);
const result = JSON.parse(output.trim());
if (!(Constants_1.default.Success in result)) {
throw new Error(result[Constants_1.default.Error]);
}
const azLatestVersion = result[Constants_1.default.AzVersion];
if (!Utils.isValidVersion(azLatestVersion)) {
throw new Error(`Invalid AzPSVersion: ${azLatestVersion}`);
}
return azLatestVersion;
});
}
static isValidVersion(version) {
return !!version.match(Constants_1.default.versionPattern);
}
}
exports.default = Utils;

36
lib/cleanup/index.js
View File

@@ -4055,7 +4055,7 @@ class AzPSScriptBuilder {
if (subscriptionId) { if (subscriptionId) {
loginCmdlet += `-Subscription '${subscriptionId}' `; loginCmdlet += `-Subscription '${subscriptionId}' `;
} }
loginCmdlet += `${cmdletSuffix} -InformationAction Ignore | out-null;`; loginCmdlet += `${cmdletSuffix} | out-null;`;
return loginCmdlet; return loginCmdlet;
} }
} }
@@ -4339,16 +4339,11 @@ class LoginConfig {
this.mask(this.federatedToken); this.mask(this.federatedToken);
} }
catch (error) { catch (error) {
core.error("Failed to fetch federated token from GitHub. Please make sure to give write permissions to id-token in the workflow."); core.error(`Please make sure to give write permissions to id-token in the workflow.`);
throw error; throw error;
} }
try { let [issuer, subjectClaim] = yield jwtParser(this.federatedToken);
let [issuer, subjectClaim, audience, jobWorkflowRef] = yield jwtParser(this.federatedToken); core.info("Federated token details:\n issuer - " + issuer + "\n subject claim - " + subjectClaim);
core.info("Federated token details:\n issuer - " + issuer + "\n subject claim - " + subjectClaim + "\n audience - " + audience + "\n job_workflow_ref - " + jobWorkflowRef);
}
catch (error) {
core.warning(`Failed to parse the federated token. Error: ${error}`);
}
}); });
} }
validate() { validate() {
@@ -4364,7 +4359,7 @@ class LoginConfig {
} }
} }
if (!this.subscriptionId && !this.allowNoSubscriptionsLogin) { if (!this.subscriptionId && !this.allowNoSubscriptionsLogin) {
throw new Error("Ensure 'subscription-id' is supplied or 'allow-no-subscriptions' is 'true'."); throw new Error("Ensure subscriptionId is supplied.");
} }
} }
mask(parameterValue) { mask(parameterValue) {
@@ -4392,22 +4387,7 @@ function jwtParser(federatedToken) {
let tokenPayload = federatedToken.split('.')[1]; let tokenPayload = federatedToken.split('.')[1];
let bufferObj = Buffer.from(tokenPayload, "base64"); let bufferObj = Buffer.from(tokenPayload, "base64");
let decodedPayload = JSON.parse(bufferObj.toString("utf8")); let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
const JWT_CLAIM_ISSUER = 'iss'; return [decodedPayload['iss'], decodedPayload['sub']];
const JWT_CLAIM_SUBJECT = 'sub';
const JWT_CLAIM_AUDIENCE = 'aud';
const JWT_CLAIM_JOB_WORKFLOW_REF = 'job_workflow_ref';
const requiredClaims = [
JWT_CLAIM_ISSUER,
JWT_CLAIM_SUBJECT,
JWT_CLAIM_AUDIENCE,
JWT_CLAIM_JOB_WORKFLOW_REF
];
for (const claim of requiredClaims) {
if (!decodedPayload[claim]) {
throw new Error(`The claim '${claim}' is missing from the token payload`);
}
}
return [decodedPayload[JWT_CLAIM_ISSUER], decodedPayload[JWT_CLAIM_SUBJECT], decodedPayload[JWT_CLAIM_AUDIENCE], decodedPayload[JWT_CLAIM_JOB_WORKFLOW_REF]];
}); });
} }
@@ -4461,8 +4441,8 @@ const AzPSUtils_1 = __nccwpck_require__(895);
function setUserAgent() { function setUserAgent() {
let usrAgentRepo = crypto.createHash('sha256').update(`${process.env.GITHUB_REPOSITORY}`).digest('hex'); let usrAgentRepo = crypto.createHash('sha256').update(`${process.env.GITHUB_REPOSITORY}`).digest('hex');
let actionName = 'AzureLogin'; let actionName = 'AzureLogin';
process.env.AZURE_HTTP_USER_AGENT = (!!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`; process.env.AZURE_HTTP_USER_AGENT = (!!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT} ` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
process.env.AZUREPS_HOST_ENVIRONMENT = (!!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`; process.env.AZUREPS_HOST_ENVIRONMENT = (!!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT} ` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
} }
exports.setUserAgent = setUserAgent; exports.setUserAgent = setUserAgent;
function cleanupAzCLIAccounts() { function cleanupAzCLIAccounts() {

117
lib/common/LoginConfig.js
View File

@@ -1,117 +0,0 @@
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.LoginConfig = void 0;
const core = __importStar(require("@actions/core"));
const actions_secret_parser_1 = require("actions-secret-parser");
class LoginConfig {
constructor() {
this.enableOIDC = true;
}
initialize() {
return __awaiter(this, void 0, void 0, function* () {
this.environment = core.getInput("environment").toLowerCase();
this.enableAzPSSession = core.getInput('enable-AzPSSession').toLowerCase() === "true";
this.allowNoSubscriptionsLogin = core.getInput('allow-no-subscriptions').toLowerCase() === "true";
this.servicePrincipalId = core.getInput('client-id', { required: false });
this.servicePrincipalKey = null;
this.tenantId = core.getInput('tenant-id', { required: false });
this.subscriptionId = core.getInput('subscription-id', { required: false });
this.audience = core.getInput('audience', { required: false });
this.federatedToken = null;
let creds = core.getInput('creds', { required: false });
let secrets = creds ? new actions_secret_parser_1.SecretParser(creds, actions_secret_parser_1.FormatType.JSON) : null;
if (creds) {
core.debug('using creds JSON...');
this.enableOIDC = false;
this.servicePrincipalId = secrets.getSecret("$.clientId", true);
this.servicePrincipalKey = secrets.getSecret("$.clientSecret", true);
this.tenantId = secrets.getSecret("$.tenantId", true);
this.subscriptionId = secrets.getSecret("$.subscriptionId", true);
this.resourceManagerEndpointUrl = secrets.getSecret("$.resourceManagerEndpointUrl", false);
}
this.getFederatedTokenIfNecessary();
});
}
getFederatedTokenIfNecessary() {
return __awaiter(this, void 0, void 0, function* () {
if (!this.enableOIDC) {
return;
}
try {
this.federatedToken = yield core.getIDToken(this.audience);
}
catch (error) {
core.error(`Please make sure to give write permissions to id-token in the workflow.`);
throw error;
}
if (!!this.federatedToken) {
let [issuer, subjectClaim] = yield jwtParser(this.federatedToken);
console.log("Federated token details: \n issuer - " + issuer + " \n subject claim - " + subjectClaim);
}
else {
throw new Error("Failed to fetch federated token.");
}
});
}
validate() {
return __awaiter(this, void 0, void 0, function* () {
if (!this.servicePrincipalId || !this.tenantId || !(this.servicePrincipalKey || this.enableOIDC)) {
throw new Error("Not all values are present in the credentials. Ensure clientId, clientSecret and tenantId are supplied.");
}
if (!this.subscriptionId && !this.allowNoSubscriptionsLogin) {
throw new Error("Not all values are present in the credentials. Ensure subscriptionId is supplied.");
}
if (!LoginConfig.azureSupportedCloudName.has(this.environment)) {
throw new Error("Unsupported value for environment is passed.The list of supported values for environment are azureusgovernment', azurechinacloud, azuregermancloud, azurecloud or azurestack");
}
});
}
}
exports.LoginConfig = LoginConfig;
LoginConfig.azureSupportedCloudName = new Set([
"azureusgovernment",
"azurechinacloud",
"azuregermancloud",
"azurecloud",
"azurestack"
]);
function jwtParser(federatedToken) {
return __awaiter(this, void 0, void 0, function* () {
let tokenPayload = federatedToken.split('.')[1];
let bufferObj = Buffer.from(tokenPayload, "base64");
let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
return [decodedPayload['iss'], decodedPayload['sub']];
});
}

83
lib/main.js
View File

@@ -1,83 +0,0 @@
"use strict";
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
Object.defineProperty(exports, "__esModule", { value: true });
const core = __importStar(require("@actions/core"));
const ServicePrincipalLogin_1 = require("./PowerShell/ServicePrincipalLogin");
const LoginConfig_1 = require("./common/LoginConfig");
const AzureCliLogin_1 = require("./Cli/AzureCliLogin");
var prefix = !!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT}` : "";
var azPSHostEnv = !!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT}` : "";
function main() {
return __awaiter(this, void 0, void 0, function* () {
var isAzCLISuccess = false;
try {
let usrAgentRepo = `${process.env.GITHUB_REPOSITORY}`;
let actionName = 'AzureLogin';
let userAgentString = (!!prefix ? `${prefix}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
let azurePSHostEnv = (!!azPSHostEnv ? `${azPSHostEnv}+` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
core.exportVariable('AZURE_HTTP_USER_AGENT', userAgentString);
core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azurePSHostEnv);
// perpare the login configuration
var loginConfig = new LoginConfig_1.LoginConfig();
yield loginConfig.initialize();
yield loginConfig.validate();
// login to Azure Cli
var cliLogin = new AzureCliLogin_1.AzureCliLogin(loginConfig);
yield cliLogin.login();
isAzCLISuccess = true;
//login to Azure PowerShell
if (loginConfig.enableAzPSSession) {
console.log(`Running Azure PS Login`);
var spnlogin = new ServicePrincipalLogin_1.ServicePrincipalLogin(loginConfig);
yield spnlogin.initialize();
yield spnlogin.login();
}
console.log("Login successful.");
}
catch (error) {
if (!isAzCLISuccess) {
core.setFailed(`Az CLI Login failed with ${error}. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows`);
}
else {
core.setFailed(`Azure PowerShell Login failed with ${error}. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows`);
}
}
finally {
// Reset AZURE_HTTP_USER_AGENT
core.exportVariable('AZURE_HTTP_USER_AGENT', prefix);
core.exportVariable('AZUREPS_HOST_ENVIRONMENT', azPSHostEnv);
}
});
}
main();

72
lib/main/index.js
View File

@@ -4001,15 +4001,9 @@ class AzureCliLogin {
} }
} }
}; };
yield this.executeAzCliCommand(["version"], true, execOptions); yield this.executeAzCliCommand(["--version"], true, execOptions);
core.debug(`Azure CLI version used:\n${output}`); core.debug(`Azure CLI version used:\n${output}`);
try { this.setAzurestackEnvIfNecessary();
this.azVersion = JSON.parse(output)["azure-cli"];
}
catch (error) {
core.warning("Failed to parse Azure CLI version.");
}
yield this.registerAzurestackEnvIfNecessary();
yield this.executeAzCliCommand(["cloud", "set", "-n", this.loginConfig.environment], false); yield this.executeAzCliCommand(["cloud", "set", "-n", this.loginConfig.environment], false);
core.info(`Done setting cloud: "${this.loginConfig.environment}"`); core.info(`Done setting cloud: "${this.loginConfig.environment}"`);
if (this.loginConfig.authType === LoginConfig_1.LoginConfig.AUTH_TYPE_SERVICE_PRINCIPAL) { if (this.loginConfig.authType === LoginConfig_1.LoginConfig.AUTH_TYPE_SERVICE_PRINCIPAL) {
@@ -4035,7 +4029,7 @@ class AzureCliLogin {
} }
}); });
} }
registerAzurestackEnvIfNecessary() { setAzurestackEnvIfNecessary() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
if (this.loginConfig.environment != "azurestack") { if (this.loginConfig.environment != "azurestack") {
return; return;
@@ -4060,7 +4054,7 @@ class AzureCliLogin {
let suffixKeyvault = ".vault" + baseUri.substring(baseUri.indexOf('.')); // keyvault suffix starts with . let suffixKeyvault = ".vault" + baseUri.substring(baseUri.indexOf('.')); // keyvault suffix starts with .
let suffixStorage = baseUri.substring(baseUri.indexOf('.') + 1); // storage suffix starts without . let suffixStorage = baseUri.substring(baseUri.indexOf('.') + 1); // storage suffix starts without .
let profileVersion = "2019-03-01-hybrid"; let profileVersion = "2019-03-01-hybrid";
yield this.executeAzCliCommand(["cloud", "register", "-n", this.loginConfig.environment, "--endpoint-resource-manager", this.loginConfig.resourceManagerEndpointUrl, "--suffix-keyvault-dns", suffixKeyvault, "--suffix-storage-endpoint", suffixStorage, "--profile", profileVersion], false); yield this.executeAzCliCommand(["cloud", "register", "-n", this.loginConfig.environment, "--endpoint-resource-manager", `"${this.loginConfig.resourceManagerEndpointUrl}"`, "--suffix-keyvault-dns", `"${suffixKeyvault}"`, "--suffix-storage-endpoint", `"${suffixStorage}"`, "--profile", `"${profileVersion}"`], false);
} }
catch (error) { catch (error) {
core.error(`Error while trying to register cloud "${this.loginConfig.environment}"`); core.error(`Error while trying to register cloud "${this.loginConfig.environment}"`);
@@ -4085,20 +4079,7 @@ class AzureCliLogin {
} }
loginWithUserAssignedIdentity(args) { loginWithUserAssignedIdentity(args) {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
let azcliMinorVersion = 0; args.push("--username", this.loginConfig.servicePrincipalId);
try {
azcliMinorVersion = parseInt(this.azVersion.split('.')[1], 10);
}
catch (error) {
core.warning("Failed to parse the minor version of Azure CLI. Assuming the version is less than 2.69.0");
}
//From Azure-cli v2.69.0, `--username` is replaced with `--client-id`, `--object-id` or `--resource-id`: https://github.com/Azure/azure-cli/pull/30525
if (azcliMinorVersion < 69) {
args.push("--username", this.loginConfig.servicePrincipalId);
}
else {
args.push("--client-id", this.loginConfig.servicePrincipalId);
}
yield this.callCliLogin(args, 'user-assigned managed identity'); yield this.callCliLogin(args, 'user-assigned managed identity');
}); });
} }
@@ -4342,7 +4323,7 @@ class AzPSScriptBuilder {
if (subscriptionId) { if (subscriptionId) {
loginCmdlet += `-Subscription '${subscriptionId}' `; loginCmdlet += `-Subscription '${subscriptionId}' `;
} }
loginCmdlet += `${cmdletSuffix} -InformationAction Ignore | out-null;`; loginCmdlet += `${cmdletSuffix} | out-null;`;
return loginCmdlet; return loginCmdlet;
} }
} }
@@ -4566,16 +4547,11 @@ class LoginConfig {
this.mask(this.federatedToken); this.mask(this.federatedToken);
} }
catch (error) { catch (error) {
core.error("Failed to fetch federated token from GitHub. Please make sure to give write permissions to id-token in the workflow."); core.error(`Please make sure to give write permissions to id-token in the workflow.`);
throw error; throw error;
} }
try { let [issuer, subjectClaim] = yield jwtParser(this.federatedToken);
let [issuer, subjectClaim, audience, jobWorkflowRef] = yield jwtParser(this.federatedToken); core.info("Federated token details:\n issuer - " + issuer + "\n subject claim - " + subjectClaim);
core.info("Federated token details:\n issuer - " + issuer + "\n subject claim - " + subjectClaim + "\n audience - " + audience + "\n job_workflow_ref - " + jobWorkflowRef);
}
catch (error) {
core.warning(`Failed to parse the federated token. Error: ${error}`);
}
}); });
} }
validate() { validate() {
@@ -4591,7 +4567,7 @@ class LoginConfig {
} }
} }
if (!this.subscriptionId && !this.allowNoSubscriptionsLogin) { if (!this.subscriptionId && !this.allowNoSubscriptionsLogin) {
throw new Error("Ensure 'subscription-id' is supplied or 'allow-no-subscriptions' is 'true'."); throw new Error("Ensure subscriptionId is supplied.");
} }
} }
mask(parameterValue) { mask(parameterValue) {
@@ -4619,22 +4595,7 @@ function jwtParser(federatedToken) {
let tokenPayload = federatedToken.split('.')[1]; let tokenPayload = federatedToken.split('.')[1];
let bufferObj = Buffer.from(tokenPayload, "base64"); let bufferObj = Buffer.from(tokenPayload, "base64");
let decodedPayload = JSON.parse(bufferObj.toString("utf8")); let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
const JWT_CLAIM_ISSUER = 'iss'; return [decodedPayload['iss'], decodedPayload['sub']];
const JWT_CLAIM_SUBJECT = 'sub';
const JWT_CLAIM_AUDIENCE = 'aud';
const JWT_CLAIM_JOB_WORKFLOW_REF = 'job_workflow_ref';
const requiredClaims = [
JWT_CLAIM_ISSUER,
JWT_CLAIM_SUBJECT,
JWT_CLAIM_AUDIENCE,
JWT_CLAIM_JOB_WORKFLOW_REF
];
for (const claim of requiredClaims) {
if (!decodedPayload[claim]) {
throw new Error(`The claim '${claim}' is missing from the token payload`);
}
}
return [decodedPayload[JWT_CLAIM_ISSUER], decodedPayload[JWT_CLAIM_SUBJECT], decodedPayload[JWT_CLAIM_AUDIENCE], decodedPayload[JWT_CLAIM_JOB_WORKFLOW_REF]];
}); });
} }
@@ -4688,8 +4649,8 @@ const AzPSUtils_1 = __nccwpck_require__(1895);
function setUserAgent() { function setUserAgent() {
let usrAgentRepo = crypto.createHash('sha256').update(`${process.env.GITHUB_REPOSITORY}`).digest('hex'); let usrAgentRepo = crypto.createHash('sha256').update(`${process.env.GITHUB_REPOSITORY}`).digest('hex');
let actionName = 'AzureLogin'; let actionName = 'AzureLogin';
process.env.AZURE_HTTP_USER_AGENT = (!!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`; process.env.AZURE_HTTP_USER_AGENT = (!!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT} ` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
process.env.AZUREPS_HOST_ENVIRONMENT = (!!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`; process.env.AZUREPS_HOST_ENVIRONMENT = (!!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT} ` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
} }
exports.setUserAgent = setUserAgent; exports.setUserAgent = setUserAgent;
function cleanupAzCLIAccounts() { function cleanupAzCLIAccounts() {
@@ -4765,13 +4726,6 @@ function main() {
return __awaiter(this, void 0, void 0, function* () { return __awaiter(this, void 0, void 0, function* () {
try { try {
(0, Utils_1.setUserAgent)(); (0, Utils_1.setUserAgent)();
const preCleanup = process.env.AZURE_LOGIN_PRE_CLEANUP;
if ('true' == preCleanup) {
yield (0, Utils_1.cleanupAzCLIAccounts)();
if (core.getInput('enable-AzPSSession').toLowerCase() === "true") {
yield (0, Utils_1.cleanupAzPSAccounts)();
}
}
// prepare the login configuration // prepare the login configuration
var loginConfig = new LoginConfig_1.LoginConfig(); var loginConfig = new LoginConfig_1.LoginConfig();
yield loginConfig.initialize(); yield loginConfig.initialize();

268
package-lock.json generated
View File

@@ -1,12 +1,12 @@
{ {
"name": "login", "name": "login",
"version": "2.2.0", "version": "2.0.0",
"lockfileVersion": 3, "lockfileVersion": 3,
"requires": true, "requires": true,
"packages": { "packages": {
"": { "": {
"name": "login", "name": "login",
"version": "2.2.0", "version": "2.0.0",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@actions/core": "1.9.1", "@actions/core": "1.9.1",
@@ -16,7 +16,7 @@
}, },
"devDependencies": { "devDependencies": {
"@types/jest": "^29.2.4", "@types/jest": "^29.2.4",
"@types/node": "^24.0.0", "@types/node": "^20.11.1",
"@vercel/ncc": "^0.38.1", "@vercel/ncc": "^0.38.1",
"jest": "^29.3.1", "jest": "^29.3.1",
"jest-circus": "^29.3.1", "jest-circus": "^29.3.1",
@@ -77,20 +77,73 @@
} }
}, },
"node_modules/@babel/code-frame": { "node_modules/@babel/code-frame": {
"version": "7.29.0", "version": "7.23.5",
"resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz",
"integrity": "sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@babel/helper-validator-identifier": "^7.28.5", "@babel/highlight": "^7.23.4",
"js-tokens": "^4.0.0", "chalk": "^2.4.2"
"picocolors": "^1.1.1"
}, },
"engines": { "engines": {
"node": ">=6.9.0" "node": ">=6.9.0"
} }
}, },
"node_modules/@babel/code-frame/node_modules/ansi-styles": {
"version": "3.2.1",
"dev": true,
"license": "MIT",
"dependencies": {
"color-convert": "^1.9.0"
},
"engines": {
"node": ">=4"
}
},
"node_modules/@babel/code-frame/node_modules/chalk": {
"version": "2.4.2",
"dev": true,
"license": "MIT",
"dependencies": {
"ansi-styles": "^3.2.1",
"escape-string-regexp": "^1.0.5",
"supports-color": "^5.3.0"
},
"engines": {
"node": ">=4"
}
},
"node_modules/@babel/code-frame/node_modules/color-convert": {
"version": "1.9.3",
"dev": true,
"license": "MIT",
"dependencies": {
"color-name": "1.1.3"
}
},
"node_modules/@babel/code-frame/node_modules/color-name": {
"version": "1.1.3",
"dev": true,
"license": "MIT"
},
"node_modules/@babel/code-frame/node_modules/escape-string-regexp": {
"version": "1.0.5",
"dev": true,
"license": "MIT",
"engines": {
"node": ">=0.8.0"
}
},
"node_modules/@babel/code-frame/node_modules/supports-color": {
"version": "5.5.0",
"dev": true,
"license": "MIT",
"dependencies": {
"has-flag": "^3.0.0"
},
"engines": {
"node": ">=4"
}
},
"node_modules/@babel/compat-data": { "node_modules/@babel/compat-data": {
"version": "7.20.5", "version": "7.20.5",
"dev": true, "dev": true,
@@ -268,9 +321,7 @@
} }
}, },
"node_modules/@babel/helper-string-parser": { "node_modules/@babel/helper-string-parser": {
"version": "7.27.1", "version": "7.23.4",
"resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz",
"integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"engines": { "engines": {
@@ -278,9 +329,7 @@
} }
}, },
"node_modules/@babel/helper-validator-identifier": { "node_modules/@babel/helper-validator-identifier": {
"version": "7.28.5", "version": "7.22.20",
"resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.28.5.tgz",
"integrity": "sha512-qSs4ifwzKJSV39ucNjsvc6WVHs6b7S03sOh2OcHF9UHfVPqWWALUsNUVzhSBiItjRZoLHx7nIarVjqKVusUZ1Q==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"engines": { "engines": {
@@ -296,28 +345,91 @@
} }
}, },
"node_modules/@babel/helpers": { "node_modules/@babel/helpers": {
"version": "7.28.6", "version": "7.20.6",
"resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.28.6.tgz",
"integrity": "sha512-xOBvwq86HHdB7WUDTfKfT/Vuxh7gElQ+Sfti2Cy6yIWNW05P8iUslOVcZ4/sKbE+/jQaukQAdz/gf3724kYdqw==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@babel/template": "^7.28.6", "@babel/template": "^7.18.10",
"@babel/types": "^7.28.6" "@babel/traverse": "^7.20.5",
"@babel/types": "^7.20.5"
}, },
"engines": { "engines": {
"node": ">=6.9.0" "node": ">=6.9.0"
} }
}, },
"node_modules/@babel/parser": { "node_modules/@babel/highlight": {
"version": "7.29.0", "version": "7.23.4",
"resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.0.tgz",
"integrity": "sha512-IyDgFV5GeDUVX4YdF/3CPULtVGSXXMLh1xVIgdCgxApktqnQV0r7/8Nqthg+8YLGaAtdyIlo2qIdZrbCv4+7ww==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@babel/types": "^7.29.0" "@babel/helper-validator-identifier": "^7.22.20",
"chalk": "^2.4.2",
"js-tokens": "^4.0.0"
}, },
"engines": {
"node": ">=6.9.0"
}
},
"node_modules/@babel/highlight/node_modules/ansi-styles": {
"version": "3.2.1",
"dev": true,
"license": "MIT",
"dependencies": {
"color-convert": "^1.9.0"
},
"engines": {
"node": ">=4"
}
},
"node_modules/@babel/highlight/node_modules/chalk": {
"version": "2.4.2",
"dev": true,
"license": "MIT",
"dependencies": {
"ansi-styles": "^3.2.1",
"escape-string-regexp": "^1.0.5",
"supports-color": "^5.3.0"
},
"engines": {
"node": ">=4"
}
},
"node_modules/@babel/highlight/node_modules/color-convert": {
"version": "1.9.3",
"dev": true,
"license": "MIT",
"dependencies": {
"color-name": "1.1.3"
}
},
"node_modules/@babel/highlight/node_modules/color-name": {
"version": "1.1.3",
"dev": true,
"license": "MIT"
},
"node_modules/@babel/highlight/node_modules/escape-string-regexp": {
"version": "1.0.5",
"dev": true,
"license": "MIT",
"engines": {
"node": ">=0.8.0"
}
},
"node_modules/@babel/highlight/node_modules/supports-color": {
"version": "5.5.0",
"dev": true,
"license": "MIT",
"dependencies": {
"has-flag": "^3.0.0"
},
"engines": {
"node": ">=4"
}
},
"node_modules/@babel/parser": {
"version": "7.23.9",
"dev": true,
"license": "MIT",
"bin": { "bin": {
"parser": "bin/babel-parser.js" "parser": "bin/babel-parser.js"
}, },
@@ -489,15 +601,13 @@
} }
}, },
"node_modules/@babel/template": { "node_modules/@babel/template": {
"version": "7.28.6", "version": "7.23.9",
"resolved": "https://registry.npmjs.org/@babel/template/-/template-7.28.6.tgz",
"integrity": "sha512-YA6Ma2KsCdGb+WC6UpBVFJGXL58MDA6oyONbjyF/+5sBgxY/dwkhLogbMT2GXXyU84/IhRw/2D1Os1B/giz+BQ==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@babel/code-frame": "^7.28.6", "@babel/code-frame": "^7.23.5",
"@babel/parser": "^7.28.6", "@babel/parser": "^7.23.9",
"@babel/types": "^7.28.6" "@babel/types": "^7.23.9"
}, },
"engines": { "engines": {
"node": ">=6.9.0" "node": ">=6.9.0"
@@ -524,14 +634,13 @@
} }
}, },
"node_modules/@babel/types": { "node_modules/@babel/types": {
"version": "7.29.0", "version": "7.23.9",
"resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.0.tgz",
"integrity": "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"@babel/helper-string-parser": "^7.27.1", "@babel/helper-string-parser": "^7.23.4",
"@babel/helper-validator-identifier": "^7.28.5" "@babel/helper-validator-identifier": "^7.22.20",
"to-fast-properties": "^2.0.0"
}, },
"engines": { "engines": {
"node": ">=6.9.0" "node": ">=6.9.0"
@@ -968,13 +1077,11 @@
} }
}, },
"node_modules/@types/node": { "node_modules/@types/node": {
"version": "24.12.0", "version": "20.11.19",
"resolved": "https://registry.npmjs.org/@types/node/-/node-24.12.0.tgz",
"integrity": "sha512-GYDxsZi3ChgmckRT9HPU0WEhKLP08ev/Yfcq2AstjrDASOYCSXeyjDsHg4v5t4jOj7cyDX3vmprafKlWIG9MXQ==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"undici-types": "~7.16.0" "undici-types": "~5.26.4"
} }
}, },
"node_modules/@types/prettier": { "node_modules/@types/prettier": {
@@ -1163,9 +1270,7 @@
"license": "MIT" "license": "MIT"
}, },
"node_modules/brace-expansion": { "node_modules/brace-expansion": {
"version": "1.1.12", "version": "1.1.11",
"resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
"integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"balanced-match": "^1.0.0", "balanced-match": "^1.0.0",
@@ -1173,13 +1278,11 @@
} }
}, },
"node_modules/braces": { "node_modules/braces": {
"version": "3.0.3", "version": "3.0.2",
"resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
"integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"fill-range": "^7.1.1" "fill-range": "^7.0.1"
}, },
"engines": { "engines": {
"node": ">=8" "node": ">=8"
@@ -1363,9 +1466,7 @@
"license": "MIT" "license": "MIT"
}, },
"node_modules/cross-spawn": { "node_modules/cross-spawn": {
"version": "7.0.6", "version": "7.0.3",
"resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
"integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
@@ -1537,9 +1638,7 @@
} }
}, },
"node_modules/fill-range": { "node_modules/fill-range": {
"version": "7.1.1", "version": "7.0.1",
"resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
"integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
@@ -1565,21 +1664,6 @@
"version": "1.0.0", "version": "1.0.0",
"license": "ISC" "license": "ISC"
}, },
"node_modules/fsevents": {
"version": "2.3.3",
"resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
"integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==",
"dev": true,
"hasInstallScript": true,
"license": "MIT",
"optional": true,
"os": [
"darwin"
],
"engines": {
"node": "^8.16.0 || ^10.6.0 || >=11.0.0"
}
},
"node_modules/function-bind": { "node_modules/function-bind": {
"version": "1.1.1", "version": "1.1.1",
"dev": true, "dev": true,
@@ -1662,6 +1746,14 @@
"node": ">= 0.4.0" "node": ">= 0.4.0"
} }
}, },
"node_modules/has-flag": {
"version": "3.0.0",
"dev": true,
"license": "MIT",
"engines": {
"node": ">=4"
}
},
"node_modules/html-escaper": { "node_modules/html-escaper": {
"version": "2.0.2", "version": "2.0.2",
"dev": true, "dev": true,
@@ -1747,8 +1839,6 @@
}, },
"node_modules/is-number": { "node_modules/is-number": {
"version": "7.0.0", "version": "7.0.0",
"resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
"integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"engines": { "engines": {
@@ -2386,15 +2476,11 @@
}, },
"node_modules/js-tokens": { "node_modules/js-tokens": {
"version": "4.0.0", "version": "4.0.0",
"resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz",
"integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==",
"dev": true, "dev": true,
"license": "MIT" "license": "MIT"
}, },
"node_modules/js-yaml": { "node_modules/js-yaml": {
"version": "3.14.2", "version": "3.14.1",
"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz",
"integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
@@ -2465,9 +2551,7 @@
} }
}, },
"node_modules/lodash": { "node_modules/lodash": {
"version": "4.17.23", "version": "4.17.21",
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.23.tgz",
"integrity": "sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==",
"license": "MIT" "license": "MIT"
}, },
"node_modules/lodash.memoize": { "node_modules/lodash.memoize": {
@@ -2519,13 +2603,11 @@
"license": "MIT" "license": "MIT"
}, },
"node_modules/micromatch": { "node_modules/micromatch": {
"version": "4.0.8", "version": "4.0.5",
"resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.8.tgz",
"integrity": "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"braces": "^3.0.3", "braces": "^3.0.2",
"picomatch": "^2.3.1" "picomatch": "^2.3.1"
}, },
"engines": { "engines": {
@@ -2541,9 +2623,7 @@
} }
}, },
"node_modules/minimatch": { "node_modules/minimatch": {
"version": "3.1.5", "version": "3.1.2",
"resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz",
"integrity": "sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==",
"license": "ISC", "license": "ISC",
"dependencies": { "dependencies": {
"brace-expansion": "^1.1.7" "brace-expansion": "^1.1.7"
@@ -2719,9 +2799,7 @@
"license": "MIT" "license": "MIT"
}, },
"node_modules/picocolors": { "node_modules/picocolors": {
"version": "1.1.1", "version": "1.0.0",
"resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
"integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==",
"dev": true, "dev": true,
"license": "ISC" "license": "ISC"
}, },
@@ -3037,10 +3115,16 @@
"dev": true, "dev": true,
"license": "BSD-3-Clause" "license": "BSD-3-Clause"
}, },
"node_modules/to-fast-properties": {
"version": "2.0.0",
"dev": true,
"license": "MIT",
"engines": {
"node": ">=4"
}
},
"node_modules/to-regex-range": { "node_modules/to-regex-range": {
"version": "5.0.1", "version": "5.0.1",
"resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
"integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
@@ -3145,9 +3229,7 @@
} }
}, },
"node_modules/undici-types": { "node_modules/undici-types": {
"version": "7.16.0", "version": "5.26.5",
"resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.16.0.tgz",
"integrity": "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw==",
"dev": true, "dev": true,
"license": "MIT" "license": "MIT"
}, },

4
package.json
View File

@@ -1,6 +1,6 @@
{ {
"name": "login", "name": "login",
"version": "2.2.0", "version": "2.0.0",
"description": "Login Azure wraps the az login, allowing for Azure actions to log into Azure", "description": "Login Azure wraps the az login, allowing for Azure actions to log into Azure",
"main": "lib/main/index.js", "main": "lib/main/index.js",
"scripts": { "scripts": {
@@ -13,7 +13,7 @@
"license": "MIT", "license": "MIT",
"devDependencies": { "devDependencies": {
"@types/jest": "^29.2.4", "@types/jest": "^29.2.4",
"@types/node": "^24.0.0", "@types/node": "^20.11.1",
"@vercel/ncc": "^0.38.1", "@vercel/ncc": "^0.38.1",
"jest": "^29.3.1", "jest": "^29.3.1",
"jest-circus": "^29.3.1", "jest-circus": "^29.3.1",

31
src/Cli/AzureCliLogin.ts
View File

@@ -8,7 +8,6 @@ export class AzureCliLogin {
loginConfig: LoginConfig; loginConfig: LoginConfig;
azPath: string; azPath: string;
loginOptions: ExecOptions; loginOptions: ExecOptions;
azVersion: string;
constructor(loginConfig: LoginConfig) { constructor(loginConfig: LoginConfig) {
this.loginConfig = loginConfig; this.loginConfig = loginConfig;
@@ -29,15 +28,10 @@ export class AzureCliLogin {
} }
}; };
await this.executeAzCliCommand(["version"], true, execOptions); await this.executeAzCliCommand(["--version"], true, execOptions);
core.debug(`Azure CLI version used:\n${output}`); core.debug(`Azure CLI version used:\n${output}`);
try {
this.azVersion = JSON.parse(output)["azure-cli"]; this.setAzurestackEnvIfNecessary();
}
catch (error) {
core.warning("Failed to parse Azure CLI version.");
}
await this.registerAzurestackEnvIfNecessary();
await this.executeAzCliCommand(["cloud", "set", "-n", this.loginConfig.environment], false); await this.executeAzCliCommand(["cloud", "set", "-n", this.loginConfig.environment], false);
core.info(`Done setting cloud: "${this.loginConfig.environment}"`); core.info(`Done setting cloud: "${this.loginConfig.environment}"`);
@@ -65,7 +59,7 @@ export class AzureCliLogin {
} }
} }
async registerAzurestackEnvIfNecessary() { async setAzurestackEnvIfNecessary() {
if (this.loginConfig.environment != "azurestack") { if (this.loginConfig.environment != "azurestack") {
return; return;
} }
@@ -91,7 +85,7 @@ export class AzureCliLogin {
let suffixKeyvault = ".vault" + baseUri.substring(baseUri.indexOf('.')); // keyvault suffix starts with . let suffixKeyvault = ".vault" + baseUri.substring(baseUri.indexOf('.')); // keyvault suffix starts with .
let suffixStorage = baseUri.substring(baseUri.indexOf('.') + 1); // storage suffix starts without . let suffixStorage = baseUri.substring(baseUri.indexOf('.') + 1); // storage suffix starts without .
let profileVersion = "2019-03-01-hybrid"; let profileVersion = "2019-03-01-hybrid";
await this.executeAzCliCommand(["cloud", "register", "-n", this.loginConfig.environment, "--endpoint-resource-manager", this.loginConfig.resourceManagerEndpointUrl, "--suffix-keyvault-dns", suffixKeyvault, "--suffix-storage-endpoint", suffixStorage, "--profile", profileVersion], false); await this.executeAzCliCommand(["cloud", "register", "-n", this.loginConfig.environment, "--endpoint-resource-manager", `"${this.loginConfig.resourceManagerEndpointUrl}"`, "--suffix-keyvault-dns", `"${suffixKeyvault}"`, "--suffix-storage-endpoint", `"${suffixStorage}"`, "--profile", `"${profileVersion}"`], false);
} }
catch (error) { catch (error) {
core.error(`Error while trying to register cloud "${this.loginConfig.environment}"`); core.error(`Error while trying to register cloud "${this.loginConfig.environment}"`);
@@ -114,20 +108,7 @@ export class AzureCliLogin {
} }
async loginWithUserAssignedIdentity(args: string[]) { async loginWithUserAssignedIdentity(args: string[]) {
let azcliMinorVersion = 0; args.push("--username", this.loginConfig.servicePrincipalId);
try {
azcliMinorVersion = parseInt(this.azVersion.split('.')[1], 10);
}
catch (error) {
core.warning("Failed to parse the minor version of Azure CLI. Assuming the version is less than 2.69.0");
}
//From Azure-cli v2.69.0, `--username` is replaced with `--client-id`, `--object-id` or `--resource-id`: https://github.com/Azure/azure-cli/pull/30525
if (azcliMinorVersion < 69) {
args.push("--username", this.loginConfig.servicePrincipalId);
}
else {
args.push("--client-id", this.loginConfig.servicePrincipalId);
}
await this.callCliLogin(args, 'user-assigned managed identity'); await this.callCliLogin(args, 'user-assigned managed identity');
} }

2
src/PowerShell/AzPSScriptBuilder.ts
View File

@@ -104,7 +104,7 @@ export default class AzPSScriptBuilder {
if(subscriptionId){ if(subscriptionId){
loginCmdlet += `-Subscription '${subscriptionId}' `; loginCmdlet += `-Subscription '${subscriptionId}' `;
} }
loginCmdlet += `${cmdletSuffix} -InformationAction Ignore | out-null;`; loginCmdlet += `${cmdletSuffix} | out-null;`;
return loginCmdlet; return loginCmdlet;
} }
} }

32
src/common/LoginConfig.ts
View File

@@ -79,16 +79,11 @@ export class LoginConfig {
this.mask(this.federatedToken); this.mask(this.federatedToken);
} }
catch (error) { catch (error) {
core.error("Failed to fetch federated token from GitHub. Please make sure to give write permissions to id-token in the workflow."); core.error(`Please make sure to give write permissions to id-token in the workflow.`);
throw error; throw error;
} }
try { let [issuer, subjectClaim] = await jwtParser(this.federatedToken);
let [issuer, subjectClaim, audience, jobWorkflowRef] = await jwtParser(this.federatedToken); core.info("Federated token details:\n issuer - " + issuer + "\n subject claim - " + subjectClaim);
core.info("Federated token details:\n issuer - " + issuer + "\n subject claim - " + subjectClaim + "\n audience - " + audience + "\n job_workflow_ref - " + jobWorkflowRef);
}
catch (error) {
core.warning(`Failed to parse the federated token. Error: ${error}`);
}
} }
validate() { validate() {
@@ -104,7 +99,7 @@ export class LoginConfig {
} }
} }
if (!this.subscriptionId && !this.allowNoSubscriptionsLogin) { if (!this.subscriptionId && !this.allowNoSubscriptionsLogin) {
throw new Error("Ensure 'subscription-id' is supplied or 'allow-no-subscriptions' is 'true'."); throw new Error("Ensure subscriptionId is supplied.");
} }
} }
@@ -119,20 +114,5 @@ async function jwtParser(federatedToken: string) {
let tokenPayload = federatedToken.split('.')[1]; let tokenPayload = federatedToken.split('.')[1];
let bufferObj = Buffer.from(tokenPayload, "base64"); let bufferObj = Buffer.from(tokenPayload, "base64");
let decodedPayload = JSON.parse(bufferObj.toString("utf8")); let decodedPayload = JSON.parse(bufferObj.toString("utf8"));
const JWT_CLAIM_ISSUER = 'iss'; return [decodedPayload['iss'], decodedPayload['sub']];
const JWT_CLAIM_SUBJECT = 'sub'; }
const JWT_CLAIM_AUDIENCE = 'aud';
const JWT_CLAIM_JOB_WORKFLOW_REF = 'job_workflow_ref';
const requiredClaims = [
JWT_CLAIM_ISSUER,
JWT_CLAIM_SUBJECT,
JWT_CLAIM_AUDIENCE,
JWT_CLAIM_JOB_WORKFLOW_REF
];
for (const claim of requiredClaims) {
if (!decodedPayload[claim]) {
throw new Error(`The claim '${claim}' is missing from the token payload`);
}
}
return [decodedPayload[JWT_CLAIM_ISSUER], decodedPayload[JWT_CLAIM_SUBJECT], decodedPayload[JWT_CLAIM_AUDIENCE], decodedPayload[JWT_CLAIM_JOB_WORKFLOW_REF]];
}

4
src/common/Utils.ts
View File

@@ -7,8 +7,8 @@ import { AzPSConstants, AzPSUtils } from '../PowerShell/AzPSUtils';
export function setUserAgent(): void { export function setUserAgent(): void {
let usrAgentRepo = crypto.createHash('sha256').update(`${process.env.GITHUB_REPOSITORY}`).digest('hex'); let usrAgentRepo = crypto.createHash('sha256').update(`${process.env.GITHUB_REPOSITORY}`).digest('hex');
let actionName = 'AzureLogin'; let actionName = 'AzureLogin';
process.env.AZURE_HTTP_USER_AGENT = (!!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`; process.env.AZURE_HTTP_USER_AGENT = (!!process.env.AZURE_HTTP_USER_AGENT ? `${process.env.AZURE_HTTP_USER_AGENT} ` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
process.env.AZUREPS_HOST_ENVIRONMENT = (!!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT} ` : '') + `GITHUBACTIONS/${actionName}@v2_${usrAgentRepo}_${process.env.RUNNER_ENVIRONMENT}_${process.env.GITHUB_RUN_ID}`; process.env.AZUREPS_HOST_ENVIRONMENT = (!!process.env.AZUREPS_HOST_ENVIRONMENT ? `${process.env.AZUREPS_HOST_ENVIRONMENT} ` : '') + `GITHUBACTIONS/${actionName}@v1_${usrAgentRepo}`;
} }
export async function cleanupAzCLIAccounts(): Promise<void> { export async function cleanupAzCLIAccounts(): Promise<void> {

9
src/main.ts
View File

@@ -1,5 +1,5 @@
import * as core from '@actions/core'; import * as core from '@actions/core';
import { cleanupAzCLIAccounts, cleanupAzPSAccounts, setUserAgent } from './common/Utils'; import { setUserAgent } from './common/Utils';
import { AzPSLogin } from './PowerShell/AzPSLogin'; import { AzPSLogin } from './PowerShell/AzPSLogin';
import { LoginConfig } from './common/LoginConfig'; import { LoginConfig } from './common/LoginConfig';
import { AzureCliLogin } from './Cli/AzureCliLogin'; import { AzureCliLogin } from './Cli/AzureCliLogin';
@@ -7,13 +7,6 @@ import { AzureCliLogin } from './Cli/AzureCliLogin';
async function main() { async function main() {
try { try {
setUserAgent(); setUserAgent();
const preCleanup: string = process.env.AZURE_LOGIN_PRE_CLEANUP;
if ('true' == preCleanup) {
await cleanupAzCLIAccounts();
if (core.getInput('enable-AzPSSession').toLowerCase() === "true") {
await cleanupAzPSAccounts();
}
}
// prepare the login configuration // prepare the login configuration
var loginConfig = new LoginConfig(); var loginConfig = new LoginConfig();