Provide support for authentication with access token (#59)

Co-authored-by: Tom Kerkhove <kerkhove.tom@gmail.com>
Co-authored-by: Michiel Vanwelsenaere <Michiel.Vanwelsenaere@codit.eu>

Author: 3 people

build/ci-build.yml

@@ -74,6 +74,15 @@ stages:
             inputs:
               artifact: 'Build'
               path: '$(Build.SourcesDirectory)'
+          - task: AzureCLI@2
+            displayName: 'Get Token for Azure Management API'
+            inputs:
+              azureSubscription: 'Invictus - Azure'
+              scriptType: pscore
+              scriptLocation: inlineScript
+              inlineScript: |              
+                $token= & az account get-access-token --resource="https://management.azure.com/" --query accessToken
+                Write-Host "##vso[task.setvariable variable=Azure.ManagementApi.AccessToken]$token"
           - template: test/run-integration-tests.yml@templates
             parameters:
               dotnetSdkVersion: '$(DotNet.Sdk.Version)'

docs/logic-apps/authentication.md

@@ -6,14 +6,18 @@ Before you can start using the Azure Logic App testing features, you need to aut
 
 As of today, we provide the following authentication scenarios:
 
+- [**Prerequisites**](#Prerequisites)
 - [**Using Service Principal**](#using-a-service-principal)
+- [**Using an Access Token**](#using-an-Access-Token)
 
-## Using a Service Principal
+## Prerequisites 
 
 Before we can authenticate, you'll need to [create an Azure AD application](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal) which will be used as your service principle.
 
 The service principal will need to have at least [`Logic App Contributor`](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#logic-app-contributor) permissions on all your Azure Logic App instances that you want to test.
 
+## Using a Service Principal
+
 When using a service principal, you need to provide the following information:
 - **Tenant Id** - Identifier of the Azure AD directory
 - **Subscription Id** - Identifier of the Azure subscription that contains your Azure Logic App
@@ -39,3 +43,31 @@ using (var logicApp = await LogicAppClient.CreateAsync(resourceGroup, logicAppNa
 {	
 }
 ```
+
+## Using an Access Token
+
+The main purpose of authenticating using a token is to avoid distributing sensitive service principle details. As the testing framework uses the Azure Management API, the `resource` scope when requesting a access token should be set to `https://management.azure.com/`.
+
+*More details on requesting a token can be found [here](https://docs.microsoft.com/en-us/rest/api/azure/#acquire-an-access-token).*
+
+When using a service principal, you need to provide the following information:
+- **Tenant Id** - Identifier of the Azure AD directory
+- **Access Token** - The token to be used to authenticate with the Azure Management API
+
+Here is an example:
+```csharp
+string subscriptionId = "my-subscription-id";
+string accessToken = "my-accessToken";
+string resourceGroup = "my-resource-group";
+string logicAppName = "my-logic-app-name";
+
+var authentication = LogicAppAuthentication.UsingAccessToken(subscriptionId, accessToken);
+
+// For the Logic App provider
+var provider = LogicAppsProvider.LocatedAt(resourceGroupName, logicAppName, authentication);
+
+// For the Logic App client
+using (var logicApp = await LogicAppClient.CreateAsync(resourceGroup, logicAppName, authentication))	
+{	
+}
+```

src/Invictus.Testing.LogicApps/LogicAppAuthentication.cs

@@ -66,6 +66,41 @@ public static LogicAppAuthentication UsingServicePrincipal(string tenantId, stri
                 () => AuthenticateLogicAppsManagementAsync(subscriptionId, tenantId, clientId, clientSecret));
         }
 
+        /// <summary>
+        /// Uses a accessToken to authenticate with Azure.
+        /// </summary>
+        /// <param name="subscriptionId">The ID that identifies the subscription on Azure.</param>
+        /// <param name="accessToken">The token to use to call the Azure management API.</param>
+        public static LogicAppAuthentication UsingAccessToken(string subscriptionId, string accessToken)
+        {
+            Guard.NotNullOrWhitespace(subscriptionId, nameof(subscriptionId));
+            Guard.NotNullOrWhitespace(accessToken, nameof(accessToken));
+
+            return new LogicAppAuthentication(
+                () => AuthenticateLogicAppsManagementAsync(subscriptionId, accessToken));
+        }
+
+        /// <summary>
+        /// Uses an access token to authenticate with Azure.
+        /// </summary>
+        /// <param name="subscriptionId">The ID that identifies the subscription on Azure.</param>
+        /// <param name="accessTokenKey">The secret key to use to fetch access token from the secret provider. This will be used to call the Azure management API.</param>
+        /// <param name="secretProvider">The provider to get the client secret; using the <paramref name="accessTokenKey"/>.</param>
+        public static LogicAppAuthentication UsingAccessToken(string subscriptionId, string accessTokenKey, ISecretProvider secretProvider)
+        {
+            Guard.NotNullOrWhitespace(subscriptionId, nameof(subscriptionId));
+            Guard.NotNullOrWhitespace(accessTokenKey, nameof(accessTokenKey));
+            Guard.NotNull(secretProvider, nameof(secretProvider));
+
+            return new LogicAppAuthentication(async () =>
+            {
+                string accessToken = await secretProvider.GetRawSecretAsync(accessTokenKey);
+                LogicManagementClient managementClient = await AuthenticateLogicAppsManagementAsync(subscriptionId, accessToken);
+
+            return managementClient;
+            });
+        }
+
         /// <summary>
         /// Authenticate with Azure with the previously chosen authentication mechanism.
         /// </summary>
@@ -86,10 +121,18 @@ private static async Task<LogicManagementClient> AuthenticateLogicAppsManagement
 
             AuthenticationResult token = await authContext.AcquireTokenAsync("https://management.azure.com/", credential);
 
-            return new LogicManagementClient(new TokenCredentials(token.AccessToken))
+            return await AuthenticateLogicAppsManagementAsync(subscriptionId, token.AccessToken);
+        }
+
+        private static async Task<LogicManagementClient> AuthenticateLogicAppsManagementAsync(string subscriptionId, string accessToken)
+        {
+            Guard.NotNullOrWhitespace(subscriptionId, nameof(subscriptionId));
+            Guard.NotNullOrWhitespace(accessToken, nameof(accessToken));
+
+            return new LogicManagementClient(new TokenCredentials(accessToken))
             {
                 SubscriptionId = subscriptionId
             };
         }
     }
-}
+}

src/Invictus.Testing.Tests.Integration/LogicAppAuthenticationTests.cs

@@ -8,6 +8,7 @@
 using Microsoft.Azure.Management.Logic;
 using Xunit;
 using Xunit.Abstractions;
+using Microsoft.IdentityModel.Clients.ActiveDirectory;
 
 namespace Invictus.Testing.Tests.Integration
 {
@@ -43,6 +44,23 @@ public async Task AuthenticateLogicAppManagement_UsingSecretProvider_Succeeds()
             Assert.True(_isClientSecretRequested);
         }
 
+        [Fact]
+        public async Task AuthenticateLogicAppManagement_UsingAccessToken_Succeeds()
+        {
+            // Arrange
+            string subscriptionId = Configuration.GetAzureSubscriptionId();
+            string accessToken = Configuration.GetAzureAccessToken();
+
+            var authentication = LogicAppAuthentication.UsingAccessToken(subscriptionId, accessToken);
+
+            // Act
+            using (LogicManagementClient managementClient = await authentication.AuthenticateAsync())
+            {
+                // Assert
+                Assert.NotNull(managementClient);
+            }
+        }
+
         public Task<string> GetRawSecretAsync(string secretName)
         {
             Guard.For<ArgumentException>(() => !secretName.Equals(ClientSecretKey), "Should request for correct client secret key");

src/Invictus.Testing.Tests.Integration/TestConfig.cs

@@ -104,6 +104,14 @@ public string GetAzureClientSecret()
             return GetRequiredValue("Azure:Authentication:ClientSecret");
         }
 
+        /// <summary>
+        /// Gets the access token of the application registered to authenticate with the Azure Logic Apps.
+        /// </summary>
+        public string GetAzureAccessToken()
+        {
+            return GetRequiredValue("Azure:Authentication:AccessToken");
+        }
+
         private string GetRequiredValue(string key)
         {
             string value = _configuration[key];

src/Invictus.Testing.Tests.Integration/appsettings.json

@@ -6,7 +6,8 @@
 
     "Authentication": {
       "ClientId": "#{LogicApps.ClientId}#",
-      "ClientSecret": "#{LogicApps.ClientSecret}#"
+      "ClientSecret": "#{LogicApps.ClientSecret}#",
+      "AccessToken": "#{Azure.ManagementApi.AccessToken}#"
     },
 
     "LogicApps": {