Replace go-autorest MS Graph client with msgraph-sdk-go

[vinay-gopalan]

Overview

This PR replaces the deprecated go-autorest module with msgraph-sdk-go.

Related Issues/Pull Requests

[ ] #166
[ ] PR #1234

Contributor Checklist

[x] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
[x] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
[x] Backwards compatible

$ make test
--- PASS: TestPeriodicFuncNilConfig (0.00s)
=== RUN   TestRetry
=== PAUSE TestRetry
=== RUN   TestConfig
=== RUN   TestConfig/root_password_ttl_defaults_to_6_months
=== RUN   TestConfig/root_password_ttl_set_if_provided
=== RUN   TestConfig/environment_set_if_provided
--- PASS: TestConfig (0.00s)
    --- PASS: TestConfig/root_password_ttl_defaults_to_6_months (0.00s)
    --- PASS: TestConfig/root_password_ttl_set_if_provided (0.00s)
    --- PASS: TestConfig/environment_set_if_provided (0.00s)
=== RUN   TestConfigEnvironmentClouds
--- PASS: TestConfigEnvironmentClouds (0.00s)
=== RUN   TestConfigDelete
--- PASS: TestConfigDelete (0.00s)
=== RUN   TestRoleCreate
=== RUN   TestRoleCreate/SP_role
=== RUN   TestRoleCreate/SP_persistent_role
=== RUN   TestRoleCreate/Static_SP_role
=== RUN   TestRoleCreate/Optional_role_TTLs
=== RUN   TestRoleCreate/Role_TTL_Checks
=== RUN   TestRoleCreate/Role_name_lookup
=== RUN   TestRoleCreate/Group_name_lookup
=== RUN   TestRoleCreate/Duplicate_role_name_and_scope
=== RUN   TestRoleCreate/Duplicate_role_name,_different_scope
=== RUN   TestRoleCreate/Duplicate_group_object_ID
=== RUN   TestRoleCreate/Role_name_lookup_(multiple_match)
=== RUN   TestRoleCreate/Group_name_lookup_(multiple_match)
--- PASS: TestRoleCreate (0.00s)
    --- PASS: TestRoleCreate/SP_role (0.00s)
    --- PASS: TestRoleCreate/SP_persistent_role (0.00s)
    --- PASS: TestRoleCreate/Static_SP_role (0.00s)
    --- PASS: TestRoleCreate/Optional_role_TTLs (0.00s)
    --- PASS: TestRoleCreate/Role_TTL_Checks (0.00s)
    --- PASS: TestRoleCreate/Role_name_lookup (0.00s)
    --- PASS: TestRoleCreate/Group_name_lookup (0.00s)
    --- PASS: TestRoleCreate/Duplicate_role_name_and_scope (0.00s)
    --- PASS: TestRoleCreate/Duplicate_role_name,_different_scope (0.00s)
    --- PASS: TestRoleCreate/Duplicate_group_object_ID (0.00s)
    --- PASS: TestRoleCreate/Role_name_lookup_(multiple_match) (0.00s)
    --- PASS: TestRoleCreate/Group_name_lookup_(multiple_match) (0.00s)
=== RUN   TestRoleCreateBad
--- PASS: TestRoleCreateBad (0.00s)
=== RUN   TestRoleUpdateError
--- PASS: TestRoleUpdateError (0.00s)
=== RUN   TestRoleList
--- PASS: TestRoleList (0.00s)
=== RUN   TestRoleDelete
--- PASS: TestRoleDelete (0.00s)
=== RUN   TestRotateRootSuccess
    path_rotate_root_test.go:19: Missing env variable: [AZURE_CLIENT_ID] - skipping test
--- SKIP: TestRotateRootSuccess (0.00s)
=== RUN   TestRotateRootPeriodicFunctionBeforeMinute
    path_rotate_root_test.go:98: Missing env variable: [AZURE_CLIENT_ID] - skipping test
--- SKIP: TestRotateRootPeriodicFunctionBeforeMinute (0.00s)
=== RUN   TestSP_WAL_Cleanup
=== RUN   TestSP_WAL_Cleanup/Role_assign_fail
--- PASS: TestSP_WAL_Cleanup (5.00s)
    --- PASS: TestSP_WAL_Cleanup/Role_assign_fail (5.00s)
=== RUN   TestSPRead
=== RUN   TestSPRead/Basic_Role
=== RUN   TestSPRead/Basic_Group
=== RUN   TestSPRead/TTLs
--- PASS: TestSPRead (0.00s)
    --- PASS: TestSPRead/Basic_Role (0.00s)
    --- PASS: TestSPRead/Basic_Group (0.00s)
    --- PASS: TestSPRead/TTLs (0.00s)
=== RUN   TestStaticSPRead
=== RUN   TestStaticSPRead/Basic
=== RUN   TestStaticSPRead/TTLs
--- PASS: TestStaticSPRead (0.00s)
    --- PASS: TestStaticSPRead/Basic (0.00s)
    --- PASS: TestStaticSPRead/TTLs (0.00s)
=== RUN   TestPersistentAppSPRead
=== RUN   TestPersistentAppSPRead/Basic
=== RUN   TestPersistentAppSPRead/TTLs
--- PASS: TestPersistentAppSPRead (0.00s)
    --- PASS: TestPersistentAppSPRead/Basic (0.00s)
    --- PASS: TestPersistentAppSPRead/TTLs (0.00s)
=== RUN   TestSPRevoke
=== RUN   TestSPRevoke/roles
=== RUN   TestSPRevoke/permanently_delete_roles
=== RUN   TestSPRevoke/groups
--- PASS: TestSPRevoke (0.00s)
    --- PASS: TestSPRevoke/roles (0.00s)
    --- PASS: TestSPRevoke/permanently_delete_roles (0.00s)
    --- PASS: TestSPRevoke/groups (0.00s)
=== RUN   TestStaticSPRevoke
--- PASS: TestStaticSPRevoke (0.00s)
=== RUN   TestSPReadMissingRole
--- PASS: TestSPReadMissingRole (0.00s)
=== RUN   TestCredentialReadProviderError
--- PASS: TestCredentialReadProviderError (0.00s)
=== RUN   TestRoleAssignmentWALRollback
--- SKIP: TestRoleAssignmentWALRollback (0.00s)
=== RUN   TestCredentialInteg_msgraph
--- SKIP: TestCredentialInteg_msgraph (0.00s)
=== CONT  TestRetry
=== RUN   TestRetry/First_try_success
=== RUN   TestRetry/Three_retries
=== PAUSE TestRetry/Three_retries
=== RUN   TestRetry/Error_on_attempt
=== PAUSE TestRetry/Error_on_attempt
=== RUN   TestRetry/Timeout
=== PAUSE TestRetry/Timeout
=== RUN   TestRetry/Cancellation
=== PAUSE TestRetry/Cancellation
=== CONT  TestRetry/Three_retries
=== CONT  TestRetry/Timeout
=== CONT  TestRetry/Cancellation
=== CONT  TestRetry/Error_on_attempt
--- PASS: TestRetry (0.00s)
    --- PASS: TestRetry/First_try_success (0.00s)
    --- PASS: TestRetry/Error_on_attempt (0.00s)
    --- PASS: TestRetry/Cancellation (1.00s)
    --- PASS: TestRetry/Timeout (10.00s)
    --- PASS: TestRetry/Three_retries (12.00s)
PASS
ok      github.com/hashicorp/vault-plugin-secrets-azure 18.475s
?       github.com/hashicorp/vault-plugin-secrets-azure/api     [no test files]
?       github.com/hashicorp/vault-plugin-secrets-azure/cmd/vault-plugin-secrets-azure  [no test files]
?       github.com/hashicorp/vault-plugin-secrets-azure/mocks   [no test files]

[vinay-gopalan]

Did not see this being used anywhere. Plus we have another provider_mock_test which seems to be achieving the same thing. Opted to delete this and update the latter with new MSGraph SDK mock tests

[raymonstah]

Great work! Had some concerns about returning the msgraph package interface and exposing it in our (presumably public) interface.

[austingebauer]

This is unrelated to your PR (sorry!) but probably a good time to figure out what's going on. It appears that passwords is unused here. Looking closer, it appears that our password Generate() func in api/passwords.go is also unused. It doesn't looks like Azure lets you provide a password but instead returns one to the client. This leads me to wonder if/how password_policy works? 🤔

[fairclothjm]

It doesn't appear as though it works. I wonder if we need to use SetSecretText in AddApplicationPassword()?

[raymonstah]

Based on their API docs:

1. https://learn.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0&tabs=http
2. https://learn.microsoft.com/en-us/graph/api/serviceprincipal-addpassword?view=graph-rest-1.0&tabs=http

It doesn't seem like there's a way to set the password.

Maybe the fields were just added in case their API adds support for a user defined password in the future.

[austingebauer]

Hmm, ya it doesn't look like you can set a password even with that SetSecretText() method. I think it's safe to say password policies don't work here. I'm thinking we'll want to deprecate the parameter, remove the code, and announce this in documentation / upgrade guides at minimum. Can be done in a separate task if that's preferred.

[vinay-gopalan]

Thanks for the context folks! Will add a ticket to track this in our backlog, and going to opt to tackle this in a follow-up PR 👍🏼

[austingebauer]

Looking good so far! Haven't made it all the way through yet. Will circle back tomorrow.

[fairclothjm]

nit: I think it might be simpler to change Lines 187-196 to

if err != nil {
	// Propagation delays within Azure can cause this error occasionally, so don't quit on it.
	if strings.Contains(err.Error(), "PrincipalNotFound") {
		return nil, false, nil
	}
	return "", true, err
}
return *ra.ID, true, nil

It looks like Create always returns an error when RoleAssignmentsClientCreateResponse is empty

[fairclothjm]

Seeing failures:

=== RUN   TestRotateRootSuccess
    path_rotate_root_test.go:39: failed to add new password: Resource 'd40cee02-4c15-4396-b857-3c52894762d3' does not exist or one of its queried reference-property objects are not present.
--- FAIL: TestRotateRootSuccess (0.65s)
=== RUN   TestRotateRootPeriodicFunctionBeforeMinute
    path_rotate_root_test.go:118: failed to add new password: Resource 'd40cee02-4c15-4396-b857-3c52894762d3' does not exist or one of its queried reference-property objects are not present.
--- FAIL: TestRotateRootPeriodicFunctionBeforeMinute (0.56s)

[vinay-gopalan]

Seeing failures:

=== RUN   TestRotateRootSuccess
    path_rotate_root_test.go:39: failed to add new password: Resource 'd40cee02-4c15-4396-b857-3c52894762d3' does not exist or one of its queried reference-property objects are not present.
--- FAIL: TestRotateRootSuccess (0.65s)
=== RUN   TestRotateRootPeriodicFunctionBeforeMinute
    path_rotate_root_test.go:118: failed to add new password: Resource 'd40cee02-4c15-4396-b857-3c52894762d3' does not exist or one of its queried reference-property objects are not present.
--- FAIL: TestRotateRootPeriodicFunctionBeforeMinute (0.56s)

I accidentally switched to using the AppID instead of the AppObjectID in rotate root at some point 😅 Fixed now!

[austingebauer]

A few small comments but otherwise LGTM! Nice job working through this one @vinay-gopalan!