add a first draft for sp auth

Author: moredatapls

.vscode/launch.json

@@ -0,0 +1,15 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Launch Package",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}",
+        }
+    ]
+}

azure-devops-client/main.go

@@ -1,6 +1,7 @@
 package AzureDevopsClient
 
 import (
+	"encoding/json"
 	"errors"
 	"fmt"
 	"net/url"
@@ -21,7 +22,17 @@ type AzureDevopsClient struct {
 
 	organization *string
 	collection   *string
-	accessToken  *string
+
+	// we can either use a PAT token for authentication ...
+	accessToken *string
+
+	// ... or client id and secret
+	tenantId     *string
+	clientId     *string
+	clientSecret *string
+
+	entraIdToken              *EntraIdToken
+	entraIdTokenLastRefreshed int64
 
 	HostUrl *string
 
@@ -48,6 +59,13 @@ type AzureDevopsClient struct {
 	}
 }
 
+type EntraIdToken struct {
+	token_type     *string
+	expires_in     *int64
+	ext_expires_in *int64
+	access_token   *string
+}
+
 func NewAzureDevopsClient() *AzureDevopsClient {
 	c := AzureDevopsClient{}
 	c.Init()
@@ -62,6 +80,8 @@ func (c *AzureDevopsClient) Init() {
 	c.SetRetries(3)
 	c.SetConcurrency(10)
 
+	c.entraIdTokenLastRefreshed = 0
+
 	c.LimitBuildsPerProject = 100
 	c.LimitBuildsPerDefinition = 10
 	c.LimitReleasesPerDefinition = 100
@@ -115,46 +135,131 @@ func (c *AzureDevopsClient) SetAccessToken(token string) {
 	c.accessToken = &token
 }
 
+func (c *AzureDevopsClient) SetTenantId(tenantId string) {
+	c.tenantId = &tenantId
+}
+
+func (c *AzureDevopsClient) SetClientId(clientId string) {
+	c.clientId = &clientId
+}
+
+func (c *AzureDevopsClient) SetClientSecret(clientSecret string) {
+	c.clientSecret = &clientSecret
+}
+
+func (c *AzureDevopsClient) SupportsPatAuthentication() bool {
+	return c.accessToken != nil
+}
+
+func (c *AzureDevopsClient) SupportsServicePrincipalAuthentication() bool {
+	return c.tenantId != nil && c.clientId != nil && c.clientSecret != nil
+}
+
+func (c *AzureDevopsClient) HasExpiredEntraIdAccessToken() bool {
+	var currentUnix = time.Now().Unix()
+
+	// subtract 60 seconds of offset (should be enough time to use fire all requests)
+	return (c.entraIdToken == nil || currentUnix >= c.entraIdTokenLastRefreshed+*c.entraIdToken.expires_in-60)
+}
+
+func (c *AzureDevopsClient) RefreshEntraIdAccessToken() (string, error) {
+	var restClient = resty.New()
+
+	restClient.SetBaseURL(fmt.Sprintf("https://login.microsoftonline.com/%v/oauth2/v2.0/token", *c.tenantId))
+
+	restClient.SetFormData(map[string]string{
+		"client_id":     *c.clientId,
+		"client_secret": *c.clientSecret,
+		"grant_type":    "client_credentials",
+		"scope":         "499b84ac-1321-427f-aa17-267ca6975798", // the scope is always the same for Azure DevOps
+	})
+
+	restClient.SetHeader("Content-Type", "application/x-www-form-urlencoded")
+	restClient.SetHeader("Accept", "application/json")
+	restClient.SetRetryCount(c.RequestRetries)
+
+	var response, err = restClient.R().Post("")
+
+	if err != nil {
+		return "", err
+	}
+
+	err = json.Unmarshal(response.Body(), &c.entraIdToken)
+
+	if err != nil {
+		return "", err
+	}
+
+	c.entraIdTokenLastRefreshed = time.Now().Unix()
+
+	return *c.entraIdToken.access_token, nil
+}
+
 func (c *AzureDevopsClient) rest() *resty.Client {
+	var client, err = c.restWithAuthentication("dev.azure.com")
+
+	if err != nil {
+		// TODO handle error!
+	}
+
+	return client
+}
+
+func (c *AzureDevopsClient) restVsrm() *resty.Client {
+	var client, err = c.restWithAuthentication("vsrm.dev.azure.com")
+
+	if err != nil {
+		// TODO handle error!
+	}
+
+	return client
+}
+
+func (c *AzureDevopsClient) restWithAuthentication(domain string) (*resty.Client, error) {
 	if c.restClient == nil {
-		c.restClient = resty.New()
-		if c.HostUrl != nil {
-			c.restClient.SetBaseURL(*c.HostUrl + "/" + *c.organization + "/")
-		} else {
-			c.restClient.SetBaseURL(fmt.Sprintf("https://dev.azure.com/%v/", *c.organization))
-		}
-		c.restClient.SetHeader("Accept", "application/json")
+		c.restClient = c.restWithoutToken(domain)
+	}
+
+	if c.SupportsPatAuthentication() {
 		c.restClient.SetBasicAuth("", *c.accessToken)
-		c.restClient.SetRetryCount(c.RequestRetries)
-		if c.delayUntil != nil {
-			c.restClient.OnBeforeRequest(c.restOnBeforeRequestDelay)
-		} else {
-			c.restClient.OnBeforeRequest(c.restOnBeforeRequest)
-		}
+	} else if c.SupportsServicePrincipalAuthentication() {
+		if c.HasExpiredEntraIdAccessToken() {
+			var accessToken, err = c.RefreshEntraIdAccessToken()
 
-		c.restClient.OnAfterResponse(c.restOnAfterResponse)
+			if err != nil {
+				return nil, err
+			}
 
+			c.restClient.SetBasicAuth("", accessToken)
+		}
+	} else {
+		return nil, errors.New("no valid authentication method provided")
 	}
 
-	return c.restClient
+	return c.restClient, nil
 }
 
-func (c *AzureDevopsClient) restVsrm() *resty.Client {
-	if c.restClientVsrm == nil {
-		c.restClientVsrm = resty.New()
-		if c.HostUrl != nil {
-			c.restClientVsrm.SetBaseURL(*c.HostUrl + "/" + *c.organization + "/")
-		} else {
-			c.restClientVsrm.SetBaseURL(fmt.Sprintf("https://vsrm.dev.azure.com/%v/", *c.organization))
-		}
-		c.restClientVsrm.SetHeader("Accept", "application/json")
-		c.restClientVsrm.SetBasicAuth("", *c.accessToken)
-		c.restClientVsrm.SetRetryCount(c.RequestRetries)
-		c.restClientVsrm.OnBeforeRequest(c.restOnBeforeRequest)
-		c.restClientVsrm.OnAfterResponse(c.restOnAfterResponse)
+func (c *AzureDevopsClient) restWithoutToken(domain string) *resty.Client {
+	var restClient = resty.New()
+
+	if c.HostUrl != nil {
+		restClient.SetBaseURL(*c.HostUrl + "/" + *c.organization + "/")
+	} else {
+		restClient.SetBaseURL(fmt.Sprintf("https://%v/%v/", domain, *c.organization))
+	}
+
+	restClient.SetHeader("Accept", "application/json")
+	restClient.SetRetryCount(c.RequestRetries)
+
+	if c.delayUntil != nil {
+		restClient.OnBeforeRequest(c.restOnBeforeRequestDelay)
+	} else {
+		restClient.OnBeforeRequest(c.restOnBeforeRequest)
 	}
 
-	return c.restClientVsrm
+	restClient.OnAfterResponse(c.restOnAfterResponse)
+
+	return restClient
 }
 
 func (c *AzureDevopsClient) concurrencyLock() {

config/opts.go

@@ -38,9 +38,12 @@ type (
 
 		// azure settings
 		AzureDevops struct {
-			Url             *string `long:"azuredevops.url"                     env:"AZURE_DEVOPS_URL"               description:"Azure DevOps url (empty if hosted by microsoft)"`
+			Url             *string `long:"azuredevops.url"                     env:"AZURE_DEVOPS_URL"               description:"Azure DevOps URL (empty if hosted by Microsoft)"`
 			AccessToken     string  `long:"azuredevops.access-token"            env:"AZURE_DEVOPS_ACCESS_TOKEN"      description:"Azure DevOps access token" json:"-"`
 			AccessTokenFile *string `long:"azuredevops.access-token-file"       env:"AZURE_DEVOPS_ACCESS_TOKEN_FILE" description:"Azure DevOps access token (from file)"`
+			TenantId        string  `long:"azuredevops.tenant-id"               env:"AZURE_TENANT_ID"                description:"Azure tenant ID for Service Principal authentication" json:"-"`
+			ClientId        string  `long:"azuredevops.client-id"               env:"AZURE_CLIENT_ID"                description:"Client ID for Service Principal authentication" json:"-"`
+			ClientSecret    string  `long:"azuredevops.client-secret"           env:"AZURE_CLIENT_SECRET"            description:"Client secret for Service Principal authentication" json:"-"`
 			Organisation    string  `long:"azuredevops.organisation"            env:"AZURE_DEVOPS_ORGANISATION"      description:"Azure DevOps organization" required:"true"`
 			ApiVersion      string  `long:"azuredevops.apiversion"              env:"AZURE_DEVOPS_APIVERSION"        description:"Azure DevOps API version"  default:"5.1"`
 

go.mod

@@ -1,6 +1,6 @@
 module github.com/webdevops/azure-devops-exporter
 
-go 1.22
+go 1.22.0
 
 require (
 	github.com/go-resty/resty/v2 v2.11.0

main.go

@@ -36,8 +36,8 @@ var (
 )
 
 func main() {
-	initArgparser()
 	initLogger()
+	initArgparser()
 
 	logger.Infof("starting azure-devops-exporter v%s (%s; %s; by %v)", gitTag, gitCommit, runtime.Version(), Author)
 	logger.Info(string(opts.GetJson()))
@@ -82,8 +82,8 @@ func initArgparser() {
 		}
 	}
 
-	if len(opts.AzureDevops.AccessToken) == 0 {
-		logger.Fatalf("no Azure DevOps access token specified")
+	if len(opts.AzureDevops.AccessToken) == 0 || (len(opts.AzureDevops.TenantId) == 0 && len(opts.AzureDevops.ClientId) == 0 && len(opts.AzureDevops.ClientSecret) == 0) {
+		logger.Fatalf("neither an Azure DevOps PAT token nor client credentials (tenant ID, client ID, client secret) for service principal authentication have been provided")
 	}
 
 	// ensure query paths and projects are splitted by '@'
@@ -160,6 +160,9 @@ func initAzureDevOpsConnection() {
 
 	AzureDevopsClient.SetOrganization(opts.AzureDevops.Organisation)
 	AzureDevopsClient.SetAccessToken(opts.AzureDevops.AccessToken)
+	AzureDevopsClient.SetTenantId(opts.AzureDevops.TenantId)
+	AzureDevopsClient.SetClientId(opts.AzureDevops.ClientId)
+	AzureDevopsClient.SetClientSecret(opts.AzureDevops.ClientSecret)
 	AzureDevopsClient.SetApiVersion(opts.AzureDevops.ApiVersion)
 	AzureDevopsClient.SetConcurrency(opts.Request.ConcurrencyLimit)
 	AzureDevopsClient.SetRetries(opts.Request.Retries)