Refactored azure OIDC and updated expiry

Author: RobinDuhan

.github/workflows/test.yml

@@ -5,7 +5,7 @@ on:
       JFROG_CREDENTIAL_PLUGIN_BINARY_URL:
         description: 'BINARY_URL (CI adds arch suffix automatically)'
         required: true
-        default: "https://partnership.jfrog.io/artifactory/credential-provider-test/jfrog-credential-provider"
+        default: "https://releases.jfrog.io/artifactory/run/jfrog-credentials-provider/0.1.0-beta.1/jfrog-credential-provider-linux"
         type: string
       DISABLE_TERRAFORM_DESTROY:
         description: 'DISABLE_TERRAFORM_DESTROY'
@@ -150,7 +150,11 @@ jobs:
       - name: Destroy Azure terraform resources
         id: destroy
         if: always() && !env.DISABLE_TERRAFORM_DESTROY
-        continue-on-error: true 
+        uses: nick-fields/retry@v3
+        with:
+          timeout_minutes: 20
+          max_attempts: 3
+          continue-on-error: true 
         run: |
           cd terraform-ci
           terraform destroy -input=false -auto-approve

build/terraform.tfvars.azure

@@ -1,5 +1,3 @@
-region = "ap-northeast-3"
-
 # The JFrog Credential Provider binary URL (no authentication required)
 # added by CI
 # jfrog_credential_provider_binary_url = "https://releases.jfrog.io/artifactory/run/jfrog-credentials-provider/0.1.0-beta.1/jfrog-credential-provider-aws-linux"
@@ -12,14 +10,6 @@ artifactory_url  = "partnership.jfrog.io"
 # The JFrog Artifactory username that will be granted the assume role permission
 artifactory_user = "aws-eks-user"
 
-create_eks_cluster = false
-# cluster_public_access_cidrs = ["0.0.0.0/0"]
-# cluster_name = "demo-eks-cluster"
-
-self_managed_eks_cluster = {
-    name = "aws-operator-jfrog"
-}
-
 jfrog_namespace = "jfrog"
 
 enable_aws = false

internal/autoupdate/fetch.go

@@ -75,9 +75,9 @@ func fetchLatestVersionTag(ctx context.Context, client *http.Client, currentVers
 	}
 
 	var latestVersionTag = addVPrefix(logs, currentVersion)
-	if !semver.IsValid(currentVersion) {
-		logs.Error("Current Version" + currentVersion + "isn't valid! Exiting")
-		return "", fmt.Errorf("invalid current version: %s", currentVersion)
+	if !semver.IsValid(latestVersionTag) {
+		logs.Error("Current Version " + latestVersionTag + " isn't valid! Exiting")
+		return "", fmt.Errorf("invalid current version: %s", latestVersionTag)
 	}
 
 	logs.Info("Current version: " + latestVersionTag)

internal/autoupdate/validate.go

@@ -25,6 +25,8 @@ import (
 	"os"
 	"os/exec"
 	"strings"
+
+	"gopkg.in/yaml.v3"
 )
 
 type EnvVar struct {
@@ -55,9 +57,19 @@ func loadProviderEnvsFromFile(logs *logger.Logger, configPath string, targetProv
 	}
 
 	var config CredentialProviderConfig
-	if err := json.Unmarshal(data, &config); err != nil {
-		logs.Error("Error unmarshalling config JSON: " + err.Error())
-		return nil, err
+
+	// if yaml, parse it in yaml
+	if strings.HasSuffix(configPath, ".yaml") || strings.HasSuffix(configPath, ".yml") {
+		if err := yaml.Unmarshal(data, &config); err != nil {
+			logs.Error("Error unmarshalling config YAML: " + err.Error())
+			return nil, err
+		}
+	} else {
+		// if json, parse it in json
+		if err := json.Unmarshal(data, &config); err != nil {
+			logs.Error("Error unmarshalling config JSON: " + err.Error())
+			return nil, err
+		}
 	}
 
 	var providerEnvs []string

internal/handlers/jfrog.go

@@ -86,38 +86,6 @@ func ExchangeOidcArtifactoryToken(s *service.Service, ctx context.Context,
 	return myResponse.Username, myResponse.AccessToken, nil
 }
 
-// ExchangeAzureOidcArtifactoryToken exchanges Azure OIDC token with JFrog Artifactory token
-func ExchangeAzureOidcArtifactoryToken(s *service.Service, ctx context.Context,
-	token string, artifactoryUrl string, providerName string, clientId string) (string, string, error) {
-	url := fmt.Sprintf("%s%s%s", "https://", artifactoryUrl, OIDC_ENDPOINT)
-	s.Logger.Info("RT azure oidc token url :" + url)
-
-	requestData := OidcTokenRequest{
-		GrantType:        "urn:ietf:params:oauth:grant-type:token-exchange",
-		ProviderName:     providerName,
-		SubjectTokenType: "urn:ietf:params:oauth:token-type:id_token",
-		SubjectToken:     token,
-		ProviderType:     "oidc-azure",
-		Audience:         clientId,
-	}
-	body, err := json.Marshal(requestData)
-	if err != nil {
-		return "", "", fmt.Errorf("error marshaling request: %v", err)
-	}
-
-	resp, err := utils.HttpReq(s, ctx, url, body, nil)
-	if err != nil {
-		return "", "", fmt.Errorf("error calling oidc token api: %v", err)
-	}
-	myResponse := &OidcAccessResponse{}
-	err = json.NewDecoder(resp.Body).Decode(myResponse)
-	if err != nil {
-		return "", "", fmt.Errorf("error reading artifactory response")
-	}
-	resp.Body.Close()
-	return myResponse.Username, myResponse.AccessToken, nil
-}
-
 func ExchangeAssumedRoleArtifactoryToken(s *service.Service, ctx context.Context, request *http.Request, artifactoryUrl string, secretTTL string) (string, string, error) {
 	url := fmt.Sprintf("%s%s%s", "https://", artifactoryUrl, AWS_TOKEN_ENDPOINT)
 	s.Logger.Info("RT token url :" + url)

internal/provider/provider.go

@@ -242,7 +242,7 @@ func handleAzureAuth(svc *service.Service, ctx context.Context, logs *logger.Log
 	}
 
 	// Exchange Azure OIDC token with JFrog Artifactory token
-	rtUsername, rtToken, err := handlers.ExchangeAzureOidcArtifactoryToken(svc, ctx, token, artifactoryUrl, jfrogOidcProviderName, azureAppClientId)
+	rtUsername, rtToken, err := handlers.ExchangeOidcArtifactoryToken(svc, ctx, token, artifactoryUrl, jfrogOidcProviderName, azureAppClientId)
 	if err != nil {
 		logs.Exit("ERROR in JFrog Credentials provider, error in createArtifactoryToken :"+err.Error(), 1)
 	}

terraform-module/artifactory.tf

@@ -98,7 +98,7 @@ resource "null_resource" "configure_artifactory_oidc" {
               "username": "${self.triggers.artifactory_user}",
               "scope": "applied-permissions/user",
               "audience": "*@*",
-              "expires_in": 330
+              "expires_in": 14400
             },
             "priority": 1
           }'