Add Support for SAS keys in Azure Blob

somtochiama · somtochiama · commit 0670db77ab5b · 2022-06-29T12:56:33.000+01:00
Signed-off-by: Somtochi Onyekwere &lt;somtochionyekwere@gmail.com&gt;
diff --git a/docs/spec/v1beta2/buckets.md b/docs/spec/v1beta2/buckets.md
@@ -295,6 +295,7 @@ sets of `.data` fields:
 - `clientId` for authenticating using a Managed Identity.
 - `accountKey` for authenticating using a
   [Shared Key](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/azblob#SharedKeyCredential).
+- `sasKey` for authenticating using a [SAS Token](https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview)
 
 For any Managed Identity and/or Azure Active Directory authentication method,
 the base URL can be configured using `.data.authorityHost`. If not supplied,
@@ -504,6 +505,36 @@ spec:
   endpoint: https://testfluxsas.blob.core.windows.net
 ```
 
+##### Azure Blob SAS Token example
+
+```yaml
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: Bucket
+metadata:
+  name: azure-sas-token
+  namespace: default
+spec:
+  interval: 5m0s
+  provider: azure
+  bucketName: <bucket-name>
+  endpoint: https://<account-name>.blob.core.windows.net
+  secretRef:
+    name: azure-key
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: azure-key
+  namespace: default
+type: Opaque
+data:
+  sasKey: <base64>
+```
+
+Note that the Azure SAS Token has an expiry date and it should be updated before it expires so that Flux can
+continue to access Azure Storage.
+
 #### GCP
 
 When a Bucket's `.spec.provider` is set to `gcp`, the source-controller will
diff --git a/go.mod b/go.mod
@@ -32,6 +32,7 @@ require (
 	github.com/fluxcd/pkg/testserver v0.2.0
 	github.com/fluxcd/pkg/untar v0.1.0
 	github.com/fluxcd/pkg/version v0.1.0
+	github.com/fluxcd/pkg/masktoken v0.0.1
 	github.com/fluxcd/source-controller/api v0.25.8
 	github.com/go-git/go-billy/v5 v5.3.1
 	github.com/go-git/go-git/v5 v5.4.2
diff --git a/go.sum b/go.sum
@@ -280,6 +280,8 @@ github.com/fluxcd/pkg/helmtestserver v0.7.4 h1:/Xj2+XLz7wr38MI3uPYvVAsZB9wQOq6rp
 github.com/fluxcd/pkg/helmtestserver v0.7.4/go.mod h1:aL5V4o8wUOMqeHMfjbVHS057E3ejzHMRVMqEbsK9FUQ=
 github.com/fluxcd/pkg/lockedfile v0.1.0 h1:YsYFAkd6wawMCcD74ikadAKXA4s2sukdxrn7w8RB5eo=
 github.com/fluxcd/pkg/lockedfile v0.1.0/go.mod h1:EJLan8t9MiOcgTs8+puDjbE6I/KAfHbdvIy9VUgIjm8=
+github.com/fluxcd/pkg/masktoken v0.0.1 h1:egWR/ibTzf4L3PxE8TauKO1srD1Ye/aalgQRQuKKRdU=
+github.com/fluxcd/pkg/masktoken v0.0.1/go.mod h1:sQmMtX4s5RwdGlByJazzNasWFFgBdmtNcgeZcGBI72Y=
 github.com/fluxcd/pkg/runtime v0.16.2 h1:CexfMmJK+r12sHTvKWyAax0pcPomjd6VnaHXcxjUrRY=
 github.com/fluxcd/pkg/runtime v0.16.2/go.mod h1:OHSKsrO+T+Ym8WZRS2oidrnauWRARuE2nfm8ewevm7M=
 github.com/fluxcd/pkg/ssh v0.5.0 h1:jE9F2XvUXC2mgseeXMATvO014fLqdB30/VzlPLKsk20=
diff --git a/pkg/azure/blob.go b/pkg/azure/blob.go
@@ -34,6 +34,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	ctrl "sigs.k8s.io/controller-runtime"
 
+	"github.com/fluxcd/pkg/masktoken"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 )
 
@@ -52,6 +53,7 @@ const (
 	clientCertificateSendChainField = "clientCertificateSendChain"
 	authorityHostField              = "authorityHost"
 	accountKeyField                 = "accountKey"
+	sasKeyField                     = "sasKey"
 )
 
 // BlobClient is a minimal Azure Blob client for fetching objects.
@@ -104,6 +106,14 @@ func NewClient(obj *sourcev1.Bucket, secret *corev1.Secret) (c *BlobClient, err
 			c.ServiceClient, err = azblob.NewServiceClientWithSharedKey(obj.Spec.Endpoint, cred, &azblob.ClientOptions{})
 			return
 		}
+
+		var fullPath string
+		if fullPath, err = sasTokenFromSecret(obj.Spec.Endpoint, secret); err != nil {
+			return
+		}
+
+		c.ServiceClient, err = azblob.NewServiceClientWithNoCredential(fullPath, &azblob.ClientOptions{})
+		return
 	}
 
 	// Compose token chain based on environment.
@@ -148,6 +158,9 @@ func ValidateSecret(secret *corev1.Secret) error {
 	if _, hasAccountKey := secret.Data[accountKeyField]; hasAccountKey {
 		valid = true
 	}
+	if _, hasSasKey := secret.Data[sasKeyField]; hasSasKey {
+		valid = true
+	}
 	if _, hasAuthorityHost := secret.Data[authorityHostField]; hasAuthorityHost {
 		valid = true
 	}
@@ -343,6 +356,39 @@ func sharedCredentialFromSecret(endpoint string, secret *corev1.Secret) (*azblob
 	return nil, nil
 }
 
+// sasTokenFromSecret retrieves the SAS Token from the `sasKey`. It returns an empty string if the Secret
+// does not contain a valid set of credentials.
+func sasTokenFromSecret(ep string, secret *corev1.Secret) (string, error) {
+	if sasKey, hasSASKey := secret.Data[sasKeyField]; hasSASKey {
+		queryString := strings.TrimPrefix(string(sasKey), "?")
+		values, err := url.ParseQuery(queryString)
+		if err != nil {
+			maskedErrorString, maskErr := masktoken.MaskTokenFromString(err.Error(), string(sasKey))
+			if maskErr != nil {
+				return "", fmt.Errorf("error redacting token from error message: %s", maskErr)
+			}
+			return "", fmt.Errorf("unable to parse SAS token: %s", maskedErrorString)
+		}
+
+		epURL, err := url.Parse(ep)
+		if err != nil {
+			return "", fmt.Errorf("unable to parse endpoint URL: %s", err)
+		}
+
+		//merge the query values in the endpoint wuth the token
+		epValues := epURL.Query()
+		for key, val := range epValues {
+			for _, str := range val {
+				values.Set(key, str)
+			}
+		}
+
+		epURL.RawQuery = values.Encode()
+		return epURL.String(), nil
+	}
+	return "", nil
+}
+
 // chainCredentialWithSecret tries to create a set of tokens, and returns an
 // azidentity.ChainedTokenCredential if at least one of the following tokens was
 // successfully created:
diff --git a/pkg/azure/blob_test.go b/pkg/azure/blob_test.go
@@ -25,6 +25,7 @@ import (
 	"errors"
 	"fmt"
 	"math/big"
+	"net/url"
 	"testing"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
@@ -68,6 +69,14 @@ func TestValidateSecret(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "valid SAS Key Secret",
+			secret: &corev1.Secret{
+				Data: map[string][]byte{
+					sasKeyField: []byte("?spr=<some-sas-url"),
+				},
+			},
+		},
 		{
 			name: "valid SharedKey Secret",
 			secret: &corev1.Secret{
@@ -292,6 +301,75 @@ func Test_sharedCredentialFromSecret(t *testing.T) {
 	}
 }
 
+func Test_sasTokenFromSecret(t *testing.T) {
+	tests := []struct {
+		name     string
+		endpoint string
+		secret   *corev1.Secret
+		want     string
+		wantErr  bool
+	}{
+		{
+			name:     "Valid SAS Token",
+			endpoint: "https://accountName.blob.windows.net",
+			secret: &corev1.Secret{
+				Data: map[string][]byte{
+					sasKeyField: []byte("?sv=2020-08-0&ss=bfqt&srt=co&sp=rwdlacupitfx&se=2022-05-26T21:55:35Z&st=2022-05-26T13:55:35Z&spr=https&sig=JlHT"),
+				},
+			},
+			want: "https://accountName.blob.windows.net?sv=2020-08-0&ss=bfqt&srt=co&sp=rwdlacupitfx&se=2022-05-26T21:55:35Z&st=2022-05-26T13:55:35Z&spr=https&sig=JlHT",
+		},
+		{
+			name:     "Valid SAS Token without leading question mark",
+			endpoint: "https://accountName.blob.windows.net",
+			secret: &corev1.Secret{
+				Data: map[string][]byte{
+					sasKeyField: []byte("sv=2020-08-04&ss=bfqt&srt=co&sp=rwdl&se=2022-05-26T21:55:35Z&st=2022-05-26&spr=https&sig=JlHT"),
+				},
+			},
+			want: "https://accountName.blob.windows.net?sv=2020-08-04&ss=bfqt&srt=co&sp=rwdl&se=2022-05-26T21:55:35Z&st=2022-05-26&spr=https&sig=JlHT",
+		},
+		{
+			name:     "endpoint with query values",
+			endpoint: "https://accountName.blob.windows.net?sv=2020-08-04",
+			secret: &corev1.Secret{
+				Data: map[string][]byte{
+					sasKeyField: []byte("ss=bfqt&srt=co&sp=rwdl&se=2022-05-26T21:55:35Z&st=2022-05-26&spr=https&sig=JlHT"),
+				},
+			},
+			want: "https://accountName.blob.windows.net?sv=2020-08-04&ss=bfqt&srt=co&sp=rwdl&se=2022-05-26T21:55:35Z&st=2022-05-26&spr=https&sig=JlHT",
+		},
+		{
+			name: "invalid sas token",
+			secret: &corev1.Secret{
+				Data: map[string][]byte{
+					sasKeyField: []byte("%##sssvecrpt"),
+				},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			_, err := url.ParseQuery("")
+			got, err := sasTokenFromSecret(tt.endpoint, tt.secret)
+			g.Expect(err != nil).To(Equal(tt.wantErr))
+			if tt.want != "" {
+				ttVaules, err := url.Parse(tt.want)
+				g.Expect(err).To(BeNil())
+
+				gotValues, err := url.Parse(got)
+				g.Expect(err).To(BeNil())
+				g.Expect(gotValues.Query()).To(Equal(ttVaules.Query()))
+				return
+			}
+			g.Expect(got).To(Equal(""))
+		})
+	}
+}
+
 func Test_chainCredentialWithSecret(t *testing.T) {
 	g := NewWithT(t)
 

-Original file line number
+Diff line change
 	github.com/fluxcd/pkg/testserver v0.2.0
 	github.com/fluxcd/pkg/untar v0.1.0
 	github.com/fluxcd/pkg/version v0.1.0
 +	github.com/fluxcd/pkg/masktoken v0.0.1
 	github.com/fluxcd/source-controller/api v0.25.8
 	github.com/go-git/go-billy/v5 v5.3.1
 	github.com/go-git/go-git/v5 v5.4.2