Rev Azure SDK to v11.1.1

vendor/github.com/Azure/go-autorest/autorest/BUILD

@@ -9,6 +9,9 @@ go_library(
         "error.go",
         "preparer.go",
         "responder.go",
+        "retriablerequest.go",
+        "retriablerequest_1.7.go",
+        "retriablerequest_1.8.go",
         "sender.go",
         "utility.go",
         "version.go",

vendor/github.com/Azure/go-autorest/autorest/adal/BUILD

@@ -5,13 +5,22 @@ go_library(
     srcs = [
         "config.go",
         "devicetoken.go",
+        "msi.go",
         "persist.go",
         "sender.go",
         "token.go",
-    ],
+    ] + select({
+        "@io_bazel_rules_go//go/platform:windows_amd64": [
+            "msi_windows.go",
+        ],
+        "//conditions:default": [],
+    }),
     importpath = "github.com/Azure/go-autorest/autorest/adal",
     visibility = ["//visibility:public"],
-    deps = ["//vendor/github.com/dgrijalva/jwt-go:go_default_library"],
+    deps = [
+        "//vendor/github.com/Azure/go-autorest/autorest/date:go_default_library",
+        "//vendor/github.com/dgrijalva/jwt-go:go_default_library",
+    ],
 )
 
 filegroup(

vendor/github.com/Azure/go-autorest/autorest/adal/msi.go

@@ -0,0 +1,6 @@
+// +build !windows
+
+package adal
+
+// msiPath is the path to the MSI Extension settings file (to discover the endpoint)
+var msiPath = "/var/lib/waagent/ManagedIdentity-Settings"

vendor/github.com/Azure/go-autorest/autorest/adal/msi_windows.go

@@ -0,0 +1,11 @@
+// +build windows
+
+package adal
+
+import (
+	"os"
+	"strings"
+)
+
+// msiPath is the path to the MSI Extension settings file (to discover the endpoint)
+var msiPath = strings.Join([]string{os.Getenv("SystemDrive"), "WindowsAzure/Config/ManagedIdentity-Settings"}, "/")

vendor/github.com/Azure/go-autorest/autorest/adal/token.go

@@ -15,12 +15,12 @@ import (
 	"strings"
 	"time"
 
+	"github.com/Azure/go-autorest/autorest/date"
 	"github.com/dgrijalva/jwt-go"
 )
 
 const (
 	defaultRefresh = 5 * time.Minute
-	tokenBaseDate  = "1970-01-01T00:00:00Z"
 
 	// OAuthGrantTypeDeviceCode is the "grant_type" identifier used in device flow
 	OAuthGrantTypeDeviceCode = "device_code"
@@ -31,16 +31,10 @@ const (
 	// OAuthGrantTypeRefreshToken is the "grant_type" identifier used in refresh token flows
 	OAuthGrantTypeRefreshToken = "refresh_token"
 
-	// managedIdentitySettingsPath is the path to the MSI Extension settings file (to discover the endpoint)
-	managedIdentitySettingsPath = "/var/lib/waagent/ManagedIdentity-Settings"
+	// metadataHeader is the header required by MSI extension
+	metadataHeader = "Metadata"
 )
 
-var expirationBase time.Time
-
-func init() {
-	expirationBase, _ = time.Parse(time.RFC3339, tokenBaseDate)
-}
-
 // OAuthTokenProvider is an interface which should be implemented by an access token retriever
 type OAuthTokenProvider interface {
 	OAuthToken() string
@@ -76,7 +70,10 @@ func (t Token) Expires() time.Time {
 	if err != nil {
 		s = -3600
 	}
-	return expirationBase.Add(time.Duration(s) * time.Second).UTC()
+
+	expiration := date.NewUnixTimeFromSeconds(float64(s))
+
+	return time.Time(expiration).UTC()
 }
 
 // IsExpired returns true if the Token is expired, false otherwise.
@@ -135,9 +132,7 @@ type ServicePrincipalMSISecret struct {
 }
 
 // SetAuthenticationValues is a method of the interface ServicePrincipalSecret.
-// MSI extension requires the authority field to be set to the real tenant authority endpoint
 func (msiSecret *ServicePrincipalMSISecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error {
-	v.Set("authority", spt.oauthConfig.AuthorityEndpoint.String())
 	return nil
 }
 
@@ -261,41 +256,43 @@ func NewServicePrincipalTokenFromCertificate(oauthConfig OAuthConfig, clientID s
 	)
 }
 
-// NewServicePrincipalTokenFromMSI creates a ServicePrincipalToken via the MSI VM Extension.
-func NewServicePrincipalTokenFromMSI(oauthConfig OAuthConfig, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error) {
-	return newServicePrincipalTokenFromMSI(oauthConfig, resource, managedIdentitySettingsPath, callbacks...)
+// GetMSIVMEndpoint gets the MSI endpoint on Virtual Machines.
+func GetMSIVMEndpoint() (string, error) {
+	return getMSIVMEndpoint(msiPath)
 }
 
-func newServicePrincipalTokenFromMSI(oauthConfig OAuthConfig, resource, settingsPath string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error) {
+func getMSIVMEndpoint(path string) (string, error) {
 	// Read MSI settings
-	bytes, err := ioutil.ReadFile(settingsPath)
+	bytes, err := ioutil.ReadFile(path)
 	if err != nil {
-		return nil, err
+		return "", err
 	}
 	msiSettings := struct {
 		URL string `json:"url"`
 	}{}
 	err = json.Unmarshal(bytes, &msiSettings)
 	if err != nil {
-		return nil, err
+		return "", err
 	}
 
+	return msiSettings.URL, nil
+}
+
+// NewServicePrincipalTokenFromMSI creates a ServicePrincipalToken via the MSI VM Extension.
+func NewServicePrincipalTokenFromMSI(msiEndpoint, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error) {
 	// We set the oauth config token endpoint to be MSI's endpoint
-	// We leave the authority as-is so MSI can POST it with the token request
-	msiEndpointURL, err := url.Parse(msiSettings.URL)
+	msiEndpointURL, err := url.Parse(msiEndpoint)
 	if err != nil {
 		return nil, err
 	}
 
-	msiTokenEndpointURL, err := msiEndpointURL.Parse("/oauth2/token")
+	oauthConfig, err := NewOAuthConfig(msiEndpointURL.String(), "")
 	if err != nil {
 		return nil, err
 	}
 
-	oauthConfig.TokenEndpoint = *msiTokenEndpointURL
-
 	spt := &ServicePrincipalToken{
-		oauthConfig:      oauthConfig,
+		oauthConfig:      *oauthConfig,
 		secret:           &ServicePrincipalMSISecret{},
 		resource:         resource,
 		autoRefresh:      true,
@@ -364,16 +361,24 @@ func (spt *ServicePrincipalToken) refreshInternal(resource string) error {
 
 	req.ContentLength = int64(len(s))
 	req.Header.Set(contentType, mimeTypeFormPost)
+	if _, ok := spt.secret.(*ServicePrincipalMSISecret); ok {
+		req.Header.Set(metadataHeader, "true")
+	}
 	resp, err := spt.sender.Do(req)
 	if err != nil {
 		return fmt.Errorf("adal: Failed to execute the refresh request. Error = '%v'", err)
 	}
+
 	defer resp.Body.Close()
+	rb, err := ioutil.ReadAll(resp.Body)
+
 	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("adal: Refresh request failed. Status Code = '%d'", resp.StatusCode)
+		if err != nil {
+			return fmt.Errorf("adal: Refresh request failed. Status Code = '%d'. Failed reading response body", resp.StatusCode)
+		}
+		return fmt.Errorf("adal: Refresh request failed. Status Code = '%d'. Response body: %s", resp.StatusCode, string(rb))
 	}
 
-	rb, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return fmt.Errorf("adal: Failed to read a new service principal token during refresh. Error = '%v'", err)
 	}

vendor/github.com/Azure/go-autorest/autorest/authorization.go

@@ -3,10 +3,18 @@ package autorest
 import (
 	"fmt"
 	"net/http"
+	"net/url"
+	"strings"
 
 	"github.com/Azure/go-autorest/autorest/adal"
 )
 
+const (
+	bearerChallengeHeader = "Www-Authenticate"
+	bearer                = "Bearer"
+	tenantID              = "tenantID"
+)
+
 // Authorizer is the interface that provides a PrepareDecorator used to supply request
 // authorization. Most often, the Authorizer decorator runs last so it has access to the full
 // state of the formed HTTP request.
@@ -55,3 +63,105 @@ func (ba *BearerAuthorizer) WithAuthorization() PrepareDecorator {
 		})
 	}
 }
+
+// BearerAuthorizerCallbackFunc is the authentication callback signature.
+type BearerAuthorizerCallbackFunc func(tenantID, resource string) (*BearerAuthorizer, error)
+
+// BearerAuthorizerCallback implements bearer authorization via a callback.
+type BearerAuthorizerCallback struct {
+	sender   Sender
+	callback BearerAuthorizerCallbackFunc
+}
+
+// NewBearerAuthorizerCallback creates a bearer authorization callback.  The callback
+// is invoked when the HTTP request is submitted.
+func NewBearerAuthorizerCallback(sender Sender, callback BearerAuthorizerCallbackFunc) *BearerAuthorizerCallback {
+	if sender == nil {
+		sender = &http.Client{}
+	}
+	return &BearerAuthorizerCallback{sender: sender, callback: callback}
+}
+
+// WithAuthorization returns a PrepareDecorator that adds an HTTP Authorization header whose value
+// is "Bearer " followed by the token.  The BearerAuthorizer is obtained via a user-supplied callback.
+//
+// By default, the token will be automatically refreshed through the Refresher interface.
+func (bacb *BearerAuthorizerCallback) WithAuthorization() PrepareDecorator {
+	return func(p Preparer) Preparer {
+		return PreparerFunc(func(r *http.Request) (*http.Request, error) {
+			// make a copy of the request and remove the body as it's not
+			// required and avoids us having to create a copy of it.
+			rCopy := *r
+			removeRequestBody(&rCopy)
+
+			resp, err := bacb.sender.Do(&rCopy)
+			if err == nil && resp.StatusCode == 401 {
+				defer resp.Body.Close()
+				if hasBearerChallenge(resp) {
+					bc, err := newBearerChallenge(resp)
+					if err != nil {
+						return r, err
+					}
+					if bacb.callback != nil {
+						ba, err := bacb.callback(bc.values[tenantID], bc.values["resource"])
+						if err != nil {
+							return r, err
+						}
+						return ba.WithAuthorization()(p).Prepare(r)
+					}
+				}
+			}
+			return r, err
+		})
+	}
+}
+
+// returns true if the HTTP response contains a bearer challenge
+func hasBearerChallenge(resp *http.Response) bool {
+	authHeader := resp.Header.Get(bearerChallengeHeader)
+	if len(authHeader) == 0 || strings.Index(authHeader, bearer) < 0 {
+		return false
+	}
+	return true
+}
+
+type bearerChallenge struct {
+	values map[string]string
+}
+
+func newBearerChallenge(resp *http.Response) (bc bearerChallenge, err error) {
+	challenge := strings.TrimSpace(resp.Header.Get(bearerChallengeHeader))
+	trimmedChallenge := challenge[len(bearer)+1:]
+
+	// challenge is a set of key=value pairs that are comma delimited
+	pairs := strings.Split(trimmedChallenge, ",")
+	if len(pairs) < 1 {
+		err = fmt.Errorf("challenge '%s' contains no pairs", challenge)
+		return bc, err
+	}
+
+	bc.values = make(map[string]string)
+	for i := range pairs {
+		trimmedPair := strings.TrimSpace(pairs[i])
+		pair := strings.Split(trimmedPair, "=")
+		if len(pair) == 2 {
+			// remove the enclosing quotes
+			key := strings.Trim(pair[0], "\"")
+			value := strings.Trim(pair[1], "\"")
+
+			switch key {
+			case "authorization", "authorization_uri":
+				// strip the tenant ID from the authorization URL
+				asURL, err := url.Parse(value)
+				if err != nil {
+					return bc, err
+				}
+				bc.values[tenantID] = asURL.Path[1:]
+			default:
+				bc.values[key] = value
+			}
+		}
+	}
+
+	return bc, err
+}

vendor/github.com/Azure/go-autorest/autorest/client.go

@@ -35,6 +35,7 @@ var (
 
 	statusCodesForRetry = []int{
 		http.StatusRequestTimeout,      // 408
+		http.StatusTooManyRequests,     // 429
 		http.StatusInternalServerError, // 500
 		http.StatusBadGateway,          // 502
 		http.StatusServiceUnavailable,  // 503

vendor/github.com/Azure/go-autorest/autorest/error.go

@@ -31,6 +31,9 @@ type DetailedError struct {
 
 	// Service Error is the response body of failed API in bytes
 	ServiceError []byte
+
+	// Response is the response object that was returned during failure if applicable.
+	Response *http.Response
 }
 
 // NewError creates a new Error conforming object from the passed packageType, method, and
@@ -67,6 +70,7 @@ func NewErrorWithError(original error, packageType string, method string, resp *
 		Method:      method,
 		StatusCode:  statusCode,
 		Message:     fmt.Sprintf(message, args...),
+		Response:    resp,
 	}
 }
 

vendor/github.com/Azure/go-autorest/autorest/retriablerequest.go

@@ -0,0 +1,38 @@
+package autorest
+
+import (
+	"bytes"
+	"io"
+	"io/ioutil"
+	"net/http"
+)
+
+// NewRetriableRequest returns a wrapper around an HTTP request that support retry logic.
+func NewRetriableRequest(req *http.Request) *RetriableRequest {
+	return &RetriableRequest{req: req}
+}
+
+// Request returns the wrapped HTTP request.
+func (rr *RetriableRequest) Request() *http.Request {
+	return rr.req
+}
+
+func (rr *RetriableRequest) prepareFromByteReader() (err error) {
+	// fall back to making a copy (only do this once)
+	b := []byte{}
+	if rr.req.ContentLength > 0 {
+		b = make([]byte, rr.req.ContentLength)
+		_, err = io.ReadFull(rr.req.Body, b)
+		if err != nil {
+			return err
+		}
+	} else {
+		b, err = ioutil.ReadAll(rr.req.Body)
+		if err != nil {
+			return err
+		}
+	}
+	rr.br = bytes.NewReader(b)
+	rr.req.Body = ioutil.NopCloser(rr.br)
+	return err
+}

vendor/github.com/Azure/go-autorest/autorest/retriablerequest_1.7.go

@@ -0,0 +1,44 @@
+// +build !go1.8
+
+package autorest
+
+import (
+	"bytes"
+	"net/http"
+)
+
+// RetriableRequest provides facilities for retrying an HTTP request.
+type RetriableRequest struct {
+	req   *http.Request
+	br    *bytes.Reader
+	reset bool
+}
+
+// Prepare signals that the request is about to be sent.
+func (rr *RetriableRequest) Prepare() (err error) {
+	// preserve the request body; this is to support retry logic as
+	// the underlying transport will always close the reqeust body
+	if rr.req.Body != nil {
+		if rr.reset {
+			if rr.br != nil {
+				_, err = rr.br.Seek(0, 0 /*io.SeekStart*/)
+			}
+			rr.reset = false
+			if err != nil {
+				return err
+			}
+		}
+		if rr.br == nil {
+			// fall back to making a copy (only do this once)
+			err = rr.prepareFromByteReader()
+		}
+		// indicates that the request body needs to be reset
+		rr.reset = true
+	}
+	return err
+}
+
+func removeRequestBody(req *http.Request) {
+	req.Body = nil
+	req.ContentLength = 0
+}

vendor/github.com/Azure/go-autorest/autorest/retriablerequest_1.8.go

@@ -0,0 +1,56 @@
+// +build go1.8
+
+package autorest
+
+import (
+	"bytes"
+	"io"
+	"net/http"
+)
+
+// RetriableRequest provides facilities for retrying an HTTP request.
+type RetriableRequest struct {
+	req   *http.Request
+	rc    io.ReadCloser
+	br    *bytes.Reader
+	reset bool
+}
+
+// Prepare signals that the request is about to be sent.
+func (rr *RetriableRequest) Prepare() (err error) {
+	// preserve the request body; this is to support retry logic as
+	// the underlying transport will always close the reqeust body
+	if rr.req.Body != nil {
+		if rr.reset {
+			if rr.rc != nil {
+				rr.req.Body = rr.rc
+			} else if rr.br != nil {
+				_, err = rr.br.Seek(0, io.SeekStart)
+			}
+			rr.reset = false
+			if err != nil {
+				return err
+			}
+		}
+		if rr.req.GetBody != nil {
+			// this will allow us to preserve the body without having to
+			// make a copy.  note we need to do this on each iteration
+			rr.rc, err = rr.req.GetBody()
+			if err != nil {
+				return err
+			}
+		} else if rr.br == nil {
+			// fall back to making a copy (only do this once)
+			err = rr.prepareFromByteReader()
+		}
+		// indicates that the request body needs to be reset
+		rr.reset = true
+	}
+	return err
+}
+
+func removeRequestBody(req *http.Request) {
+	req.Body = nil
+	req.GetBody = nil
+	req.ContentLength = 0
+}

vendor/github.com/Azure/go-autorest/autorest/sender.go

@@ -1,12 +1,11 @@
 package autorest
 
 import (
-	"bytes"
 	"fmt"
-	"io/ioutil"
 	"log"
 	"math"
 	"net/http"
+	"strconv"
 	"time"
 )
 
@@ -175,8 +174,13 @@ func DoPollForStatusCodes(duration time.Duration, delay time.Duration, codes ...
 func DoRetryForAttempts(attempts int, backoff time.Duration) SendDecorator {
 	return func(s Sender) Sender {
 		return SenderFunc(func(r *http.Request) (resp *http.Response, err error) {
+			rr := NewRetriableRequest(r)
 			for attempt := 0; attempt < attempts; attempt++ {
-				resp, err = s.Do(r)
+				err = rr.Prepare()
+				if err != nil {
+					return resp, err
+				}
+				resp, err = s.Do(rr.Request())
 				if err == nil {
 					return resp, err
 				}
@@ -194,29 +198,43 @@ func DoRetryForAttempts(attempts int, backoff time.Duration) SendDecorator {
 func DoRetryForStatusCodes(attempts int, backoff time.Duration, codes ...int) SendDecorator {
 	return func(s Sender) Sender {
 		return SenderFunc(func(r *http.Request) (resp *http.Response, err error) {
-			b := []byte{}
-			if r.Body != nil {
-				b, err = ioutil.ReadAll(r.Body)
-				if err != nil {
-					return resp, err
-				}
-			}
-
+			rr := NewRetriableRequest(r)
 			// Increment to add the first call (attempts denotes number of retries)
 			attempts++
 			for attempt := 0; attempt < attempts; attempt++ {
-				r.Body = ioutil.NopCloser(bytes.NewBuffer(b))
-				resp, err = s.Do(r)
+				err = rr.Prepare()
+				if err != nil {
+					return resp, err
+				}
+				resp, err = s.Do(rr.Request())
 				if err != nil || !ResponseHasStatusCode(resp, codes...) {
 					return resp, err
 				}
-				DelayForBackoff(backoff, attempt, r.Cancel)
+				delayed := DelayWithRetryAfter(resp, r.Cancel)
+				if !delayed {
+					DelayForBackoff(backoff, attempt, r.Cancel)
+				}
 			}
 			return resp, err
 		})
 	}
 }
 
+// DelayWithRetryAfter invokes time.After for the duration specified in the "Retry-After" header in
+// responses with status code 429
+func DelayWithRetryAfter(resp *http.Response, cancel <-chan struct{}) bool {
+	retryAfter, _ := strconv.Atoi(resp.Header.Get("Retry-After"))
+	if resp.StatusCode == http.StatusTooManyRequests && retryAfter > 0 {
+		select {
+		case <-time.After(time.Duration(retryAfter) * time.Second):
+			return true
+		case <-cancel:
+			return false
+		}
+	}
+	return false
+}
+
 // DoRetryForDuration returns a SendDecorator that retries the request until the total time is equal
 // to or greater than the specified duration, exponentially backing off between requests using the
 // supplied backoff time.Duration (which may be zero). Retrying may be canceled by closing the
@@ -224,9 +242,14 @@ func DoRetryForStatusCodes(attempts int, backoff time.Duration, codes ...int) Se
 func DoRetryForDuration(d time.Duration, backoff time.Duration) SendDecorator {
 	return func(s Sender) Sender {
 		return SenderFunc(func(r *http.Request) (resp *http.Response, err error) {
+			rr := NewRetriableRequest(r)
 			end := time.Now().Add(d)
 			for attempt := 0; time.Now().Before(end); attempt++ {
-				resp, err = s.Do(r)
+				err = rr.Prepare()
+				if err != nil {
+					return resp, err
+				}
+				resp, err = s.Do(rr.Request())
 				if err == nil {
 					return resp, err
 				}

vendor/github.com/Azure/go-autorest/autorest/validation/validation.go

@@ -205,14 +205,14 @@ func validateString(x reflect.Value, v Constraint) error {
 			return createError(x, v, fmt.Sprintf("rule must be integer value for %v constraint; got: %v", v.Name, v.Rule))
 		}
 		if len(s) > v.Rule.(int) {
-			return createError(x, v, fmt.Sprintf("value length must be less than %v", v.Rule))
+			return createError(x, v, fmt.Sprintf("value length must be less than or equal to %v", v.Rule))
 		}
 	case MinLength:
 		if _, ok := v.Rule.(int); !ok {
 			return createError(x, v, fmt.Sprintf("rule must be integer value for %v constraint; got: %v", v.Name, v.Rule))
 		}
 		if len(s) < v.Rule.(int) {
-			return createError(x, v, fmt.Sprintf("value length must be greater than %v", v.Rule))
+			return createError(x, v, fmt.Sprintf("value length must be greater than or equal to %v", v.Rule))
 		}
 	case ReadOnly:
 		if len(s) > 0 {
@@ -273,6 +273,17 @@ func validateArrayMap(x reflect.Value, v Constraint) error {
 		if x.Len() != 0 {
 			return createError(x, v, "readonly parameter; must send as nil or empty in request")
 		}
+	case Pattern:
+		reg, err := regexp.Compile(v.Rule.(string))
+		if err != nil {
+			return createError(x, v, err.Error())
+		}
+		keys := x.MapKeys()
+		for _, k := range keys {
+			if !reg.MatchString(k.String()) {
+				return createError(k, v, fmt.Sprintf("map key doesn't match pattern %v", v.Rule))
+			}
+		}
 	default:
 		return createError(x, v, fmt.Sprintf("constraint %v is not applicable to array, slice and map type", v.Name))
 	}