hashicorp · JenGoldstrich · Aug 11, 2023 · Aug 7, 2023 · Aug 7, 2023 · Aug 7, 2023
@@ -88,13 +88,14 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook)
 
 	// Pass in relevant auth information for hashicorp/go-azure-sdk
 	authOptions := commonclient.AzureAuthOptions{
-		AuthType:       b.config.ClientConfig.AuthType(),
-		ClientID:       b.config.ClientConfig.ClientID,
-		ClientSecret:   b.config.ClientConfig.ClientSecret,
-		ClientJWT:      b.config.ClientConfig.ClientJWT,
-		ClientCertPath: b.config.ClientConfig.ClientCertPath,
-		TenantID:       b.config.ClientConfig.TenantID,
-		SubscriptionID: b.config.ClientConfig.SubscriptionID,
+		AuthType:           b.config.ClientConfig.AuthType(),
+		ClientID:           b.config.ClientConfig.ClientID,
+		ClientSecret:       b.config.ClientConfig.ClientSecret,
+		ClientJWT:          b.config.ClientConfig.ClientJWT,
+		ClientCertPath:     b.config.ClientConfig.ClientCertPath,
+		ClientCertPassword: b.config.ClientConfig.ClientCertPassword,
+		TenantID:           b.config.ClientConfig.TenantID,
+		SubscriptionID:     b.config.ClientConfig.SubscriptionID,
 	}
 
 	ui.Message("Creating Azure Resource Manager (ARM) client ...")

@@ -184,6 +184,13 @@ func TestBuilderAcc_ManagedDisk_Windows(t *testing.T) {
 	})
 }
 
+// TODO Implement this test to validate client cert auth
+// This logic is largely straight forward and is just passing values into the SDK so we should be fine for the v2.0.0 release
+// But we should fill this test in when we migrate our acceptance tests to running in CI
+func TestBuilderAcc_ClientCertificateAuth(t *testing.T) {
+	t.Skip("Unimplemented Client Cert Auth Acceptance test")
+}
+
 func TestBuilderAcc_ManagedDisk_Windows_Build_Resource_Group(t *testing.T) {
 	t.Parallel()
 	acctest.TestPlugin(t, &acctest.PluginTestCase{

@@ -14,13 +14,14 @@ import (
 )
 
 type AzureAuthOptions struct {
-	AuthType       string
-	ClientID       string
-	ClientSecret   string
-	ClientJWT      string
-	ClientCertPath string
-	TenantID       string
-	SubscriptionID string
+	AuthType           string
+	ClientID           string
+	ClientSecret       string
+	ClientJWT          string
+	ClientCertPath     string
+	ClientCertPassword string
+	TenantID           string
+	SubscriptionID     string
 }
 
 func BuildResourceManagerAuthorizer(ctx context.Context, authOpts AzureAuthOptions, env environments.Environment) (auth.Authorizer, error) {
@@ -65,8 +66,9 @@ func buildAuthorizer(ctx context.Context, authOpts AzureAuthOptions, env environ
 			Environment: env,
 			EnableAuthenticatingUsingClientCertificate: true,
 			ClientID:                  authOpts.ClientID,
+			TenantID:                  authOpts.TenantID,
 			ClientCertificatePath:     authOpts.ClientCertPath,
-			ClientCertificatePassword: "",
+			ClientCertificatePassword: authOpts.ClientCertPassword,
 		}
 	case AuthTypeClientBearerJWT:
 		authConfig = auth.Credentials{

@@ -64,13 +64,14 @@ func New(c Config, say func(string)) (AzureClientSet, error) {
 func new(c Config, say func(string)) (*azureClientSet, error) {
 	// Pass in relevant auth information for hashicorp/go-azure-sdk
 	authOptions := AzureAuthOptions{
-		AuthType:       c.AuthType(),
-		ClientID:       c.ClientID,
-		ClientSecret:   c.ClientSecret,
-		ClientJWT:      c.ClientJWT,
-		ClientCertPath: c.ClientCertPath,
-		TenantID:       c.TenantID,
-		SubscriptionID: c.SubscriptionID,
+		AuthType:           c.AuthType(),
+		ClientID:           c.ClientID,
+		ClientSecret:       c.ClientSecret,
+		ClientJWT:          c.ClientJWT,
+		ClientCertPath:     c.ClientCertPath,
+		ClientCertPassword: c.ClientCertPassword,
+		TenantID:           c.TenantID,
+		SubscriptionID:     c.SubscriptionID,
 	}
 	cloudEnv := c.cloudEnvironment
 	resourceManagerEndpoint, _ := cloudEnv.ResourceManager.Endpoint()

@@ -14,7 +14,6 @@ import (
 	"os"
 	"regexp"
 	"strings"
-	"time"
 
 	"github.com/Azure/go-autorest/autorest/azure/cli"
 	jwt "github.com/golang-jwt/jwt"
@@ -58,11 +57,11 @@ type Config struct {
 	ClientID string `mapstructure:"client_id"`
 	// A password/secret registered for the AAD SP.
 	ClientSecret string `mapstructure:"client_secret"`
-	// The path to a pem-encoded certificate that will be used to authenticate
-	// as the specified AAD SP.
+	// The path to a PKCS#12 bundle (.pfx file) to be used as the client certificate
+	// that will be used to authenticate as the specified AAD SP.
 	ClientCertPath string `mapstructure:"client_cert_path"`
-	// The timeout for the JWT Token when using a [client certificate](#client_cert_path). Defaults to 1 hour.
-	ClientCertExpireTimeout time.Duration `mapstructure:"client_cert_token_timeout" required:"false"`
+	// The password for decrypting the client certificate bundle.
+	ClientCertPassword string `mapstructure:"client_cert_password"`
 	// A JWT bearer token for client auth (RFC 7523, Sec. 2.2) that will be used
 	// to authenticate the AAD SP. Provides more control over token the expiration
 	// when using certificate authentication than when using `client_cert_path`.
@@ -198,9 +197,6 @@ func (c Config) Validate(errs *packersdk.MultiError) {
 		if _, err := os.Stat(c.ClientCertPath); err != nil {
 			errs = packersdk.MultiErrorAppend(errs, fmt.Errorf("client_cert_path is not an accessible file: %v", err))
 		}
-		if c.ClientCertExpireTimeout != 0 && c.ClientCertExpireTimeout < 5*time.Minute {
-			errs = packersdk.MultiErrorAppend(errs, fmt.Errorf("client_cert_token_timeout will expire within 5 minutes, please set a value greater than 5 minutes"))
-		}
 		return
 	}
 
@@ -296,10 +292,6 @@ func (c *Config) FillParameters() error {
 		c.TenantID = tenantID
 	}
 
-	if c.ClientCertExpireTimeout == 0 {
-		c.ClientCertExpireTimeout = time.Hour
-	}
-
 	return nil
 }
 

@@ -97,16 +97,6 @@ func Test_ClientConfig_RequiredParametersSet(t *testing.T) {
 			},
 			wantErr: true,
 		},
-		{
-			name: "client_cert_token_timeout should be 5 minutes or more",
-			config: Config{
-				SubscriptionID:          "ok",
-				ClientID:                "ok",
-				ClientCertPath:          "/dev/null",
-				ClientCertExpireTimeout: 1 * time.Minute,
-			},
-			wantErr: true,
-		},
 		{
 			name: "too many client_* values",
 			config: Config{

@@ -76,13 +76,14 @@ func (b *Builder) Run(ctx context.Context, ui packersdk.Ui, hook packersdk.Hook)
 
 	// Pass in relevant auth information for hashicorp/go-azure-sdk
 	authOptions := commonclient.AzureAuthOptions{
-		AuthType:       b.config.ClientConfig.AuthType(),
-		ClientID:       b.config.ClientConfig.ClientID,
-		ClientSecret:   b.config.ClientConfig.ClientSecret,
-		ClientJWT:      b.config.ClientConfig.ClientJWT,
-		ClientCertPath: b.config.ClientConfig.ClientCertPath,
-		TenantID:       b.config.ClientConfig.TenantID,
-		SubscriptionID: b.config.ClientConfig.SubscriptionID,
+		AuthType:           b.config.ClientConfig.AuthType(),
+		ClientID:           b.config.ClientConfig.ClientID,
+		ClientSecret:       b.config.ClientConfig.ClientSecret,
+		ClientJWT:          b.config.ClientConfig.ClientJWT,
+		ClientCertPath:     b.config.ClientConfig.ClientCertPath,
+		ClientCertPassword: b.config.ClientConfig.ClientCertPassword,
+		TenantID:           b.config.ClientConfig.TenantID,
+		SubscriptionID:     b.config.ClientConfig.SubscriptionID,
 	}
 	ui.Message("Creating Azure DevTestLab (DTL) client ...")
 	azureClient, err := NewAzureClient(

@@ -16,10 +16,10 @@
 
 - `client_secret` (string) - A password/secret registered for the AAD SP.
 
-- `client_cert_path` (string) - The path to a pem-encoded certificate that will be used to authenticate
-  as the specified AAD SP.
+- `client_cert_path` (string) - The path to a PKCS#12 bundle (.pfx file) to be used as the client certificate
+  that will be used to authenticate as the specified AAD SP.
 
-- `client_cert_token_timeout` (duration string | ex: "1h5m2s") - The timeout for the JWT Token when using a [client certificate](#client_cert_path). Defaults to 1 hour.
+- `client_cert_password` (string) - The password for decrypting the client certificate bundle.
 
 - `client_jwt` (string) - A JWT bearer token for client auth (RFC 7523, Sec. 2.2) that will be used
   to authenticate the AAD SP. Provides more control over token the expiration