Enable Azure Active Directory MFA authentication (#3125)

2026-02-16 10:58:30 -05:00 · 2018-11-27 11:13:47 -08:00
parent d646b4729b
commit cb72865dcc
33 changed files with 369 additions and 109 deletions
--- a/extensions/azurecore/src/account-provider/azureAccountProvider.ts
+++ b/extensions/azurecore/src/account-provider/azureAccountProvider.ts
@@ -69,8 +69,8 @@ export class AzureAccountProvider implements sqlops.AccountProvider {
 		return this._tokenCache.clear();
 	}

-	public getSecurityToken(account: AzureAccount): Thenable<AzureAccountSecurityTokenCollection> {
-		return this.doIfInitialized(() => this.getAccessTokens(account));
+	public getSecurityToken(account: AzureAccount, resource: sqlops.AzureResource): Thenable<AzureAccountSecurityTokenCollection> {
+		return this.doIfInitialized(() => this.getAccessTokens(account, resource));
 	}

 	public initialize(restoredAccounts: sqlops.Account[]): Thenable<sqlops.Account[]> {
@@ -90,7 +90,7 @@ export class AzureAccountProvider implements sqlops.AccountProvider {

 			// Attempt to get fresh tokens. If this fails then the account is stale.
 			// NOTE: Based on ADAL implementation, getting tokens should use the refresh token if necessary
-			let task = this.getAccessTokens(account)
+			let task = this.getAccessTokens(account, sqlops.AzureResource.ResourceManagement)
 				.then(
 				() => {
 					return account;
@@ -161,9 +161,14 @@ export class AzureAccountProvider implements sqlops.AccountProvider {
 			: Promise.reject(localize('accountProviderNotInitialized', 'Account provider not initialized, cannot perform action'));
 	}

-	private getAccessTokens(account: AzureAccount): Thenable<AzureAccountSecurityTokenCollection> {
+	private getAccessTokens(account: AzureAccount, resource: sqlops.AzureResource): Thenable<AzureAccountSecurityTokenCollection> {
 		let self = this;

+		const resourceIdMap = new Map<sqlops.AzureResource, string>([
+			[sqlops.AzureResource.ResourceManagement, self._metadata.settings.armResource.id],
+			[sqlops.AzureResource.Sql, self._metadata.settings.sqlResource.id]
+		]);
+
 		let accessTokenPromises: Thenable<void>[] = [];
 		let tokenCollection: AzureAccountSecurityTokenCollection = {};
 		for (let tenant of account.properties.tenants) {
@@ -172,7 +177,7 @@ export class AzureAccountProvider implements sqlops.AccountProvider {
 				let context = new adal.AuthenticationContext(authorityUrl, null, self._tokenCache);

 				context.acquireToken(
-					self._metadata.settings.armResource.id,
+					resourceIdMap.get(resource),
 					tenant.userId,
 					self._metadata.settings.clientId,
 					(error: Error, response: adal.TokenResponse | adal.ErrorResponse) => {
--- a/extensions/azurecore/src/account-provider/interfaces.ts
+++ b/extensions/azurecore/src/account-provider/interfaces.ts
@@ -81,6 +81,11 @@ export interface Settings {
 	 */
 	armResource?: Resource;

+	/**
+	 * Information that describes the SQL Azure resource
+	 */
+	sqlResource?: Resource;
+
 	/**
 	 * A list of tenant IDs to authenticate against. If defined, then these IDs will be used
 	 * instead of querying the tenants endpoint of the armResource
--- a/extensions/azurecore/src/account-provider/providerSettings.ts
+++ b/extensions/azurecore/src/account-provider/providerSettings.ts
@@ -27,6 +27,10 @@ const publicAzureSettings: ProviderSettings = {
 				id: 'https://management.core.windows.net/',
 				endpoint: 'https://management.azure.com'
 			},
+			sqlResource: {
+				id: 'https://database.windows.net/',
+				endpoint: 'https://database.windows.net'
+			},
 			redirectUri: 'http://localhost/redirect'
 		}
 	}
--- a/extensions/azurecore/src/apiWrapper.ts
+++ b/extensions/azurecore/src/apiWrapper.ts
@@ -212,8 +212,8 @@ export class ApiWrapper {
 		return sqlops.accounts.getAllAccounts();
 	}

-	public getSecurityToken(account: sqlops.Account): Thenable<{}> {
-		return sqlops.accounts.getSecurityToken(account);
+	public getSecurityToken(account: sqlops.Account, resource: sqlops.AzureResource): Thenable<{}> {
+		return sqlops.accounts.getSecurityToken(account, resource);
 	}

 	public readonly onDidChangeAccounts = sqlops.accounts.onDidChangeAccounts;
--- a/extensions/azurecore/src/azureResource/commands.ts
+++ b/extensions/azurecore/src/azureResource/commands.ts
@@ -6,7 +6,7 @@
 'use strict';

 import { window, QuickPickItem } from 'vscode';
-import { IConnectionProfile } from 'sqlops';
+import * as sqlops from 'sqlops';
 import { generateGuid } from './utils';
 import { ApiWrapper } from '../apiWrapper';
 import { TreeNode } from '../treeNodes';
@@ -30,7 +30,7 @@ export function registerAzureResourceCommands(apiWrapper: ApiWrapper, tree: Azur

 		let subscriptions = await accountNode.getCachedSubscriptions();
 		if (!subscriptions || subscriptions.length === 0) {
-			const credentials = await servicePool.credentialService.getCredentials(accountNode.account);
+			const credentials = await servicePool.credentialService.getCredentials(accountNode.account, sqlops.AzureResource.ResourceManagement);
 			subscriptions = await servicePool.subscriptionService.getSubscriptions(accountNode.account, credentials);
 		}

@@ -71,7 +71,7 @@ export function registerAzureResourceCommands(apiWrapper: ApiWrapper, tree: Azur
 	});

 	apiWrapper.registerCommand('azureresource.connectsqldb', async (node?: TreeNode) => {
-		let connectionProfile: IConnectionProfile = {
+		let connectionProfile: sqlops.IConnectionProfile = {
 			id: generateGuid(),
 			connectionName: undefined,
 			serverName: undefined,
--- a/extensions/azurecore/src/azureResource/interfaces.ts
+++ b/extensions/azurecore/src/azureResource/interfaces.ts
@@ -6,29 +6,29 @@
 'use strict';

 import { ServiceClientCredentials } from 'ms-rest';
-import { Account, DidChangeAccountsParams } from 'sqlops';
+import * as sqlops from 'sqlops';
 import { Event } from 'vscode';

 import { AzureResourceSubscription, AzureResourceDatabaseServer, AzureResourceDatabase } from './models';

 export interface IAzureResourceAccountService {
-	getAccounts(): Promise<Account[]>;
+	getAccounts(): Promise<sqlops.Account[]>;

-	readonly onDidChangeAccounts: Event<DidChangeAccountsParams>;
+	readonly onDidChangeAccounts: Event<sqlops.DidChangeAccountsParams>;
 }

 export interface IAzureResourceCredentialService {
-	getCredentials(account: Account): Promise<ServiceClientCredentials[]>;
+	getCredentials(account: sqlops.Account, resource: sqlops.AzureResource): Promise<ServiceClientCredentials[]>;
 }

 export interface IAzureResourceSubscriptionService {
-	getSubscriptions(account: Account, credentials: ServiceClientCredentials[]): Promise<AzureResourceSubscription[]>;
+	getSubscriptions(account: sqlops.Account, credentials: ServiceClientCredentials[]): Promise<AzureResourceSubscription[]>;
 }

 export interface IAzureResourceSubscriptionFilterService {
-	getSelectedSubscriptions(account: Account): Promise<AzureResourceSubscription[]>;
+	getSelectedSubscriptions(account: sqlops.Account): Promise<AzureResourceSubscription[]>;

-	saveSelectedSubscriptions(account: Account, selectedSubscriptions: AzureResourceSubscription[]): Promise<void>;
+	saveSelectedSubscriptions(account: sqlops.Account, selectedSubscriptions: AzureResourceSubscription[]): Promise<void>;
 }

 export interface IAzureResourceDatabaseServerService {
--- a/extensions/azurecore/src/azureResource/services/credentialService.ts
+++ b/extensions/azurecore/src/azureResource/services/credentialService.ts
@@ -5,7 +5,7 @@

 'use strict';

-import { Account } from 'sqlops';
+import * as sqlops from 'sqlops';
 import { TokenCredentials, ServiceClientCredentials } from 'ms-rest';
 import { ApiWrapper } from '../../apiWrapper';
 import * as nls from 'vscode-nls';
@@ -21,10 +21,10 @@ export class AzureResourceCredentialService implements IAzureResourceCredentialS
 		this._apiWrapper = apiWrapper;
 	}

-	public async getCredentials(account: Account): Promise<ServiceClientCredentials[]> {
+	public async getCredentials(account: sqlops.Account, resource: sqlops.AzureResource): Promise<ServiceClientCredentials[]> {
 		try {
 			let credentials: TokenCredentials[] = [];
-			let tokens = await this._apiWrapper.getSecurityToken(account);
+			let tokens = await this._apiWrapper.getSecurityToken(account, resource);

 			for (let tenant of account.properties.tenants) {
 				let token = tokens[tenant.id].token;
--- a/extensions/azurecore/src/azureResource/tree/baseTreeNodes.ts
+++ b/extensions/azurecore/src/azureResource/tree/baseTreeNodes.ts
@@ -5,7 +5,7 @@

 'use strict';

-import { Account } from 'sqlops';
+import * as sqlops from 'sqlops';
 import { ServiceClientCredentials } from 'ms-rest';
 import { TreeNode } from '../../treeNodes';

@@ -28,7 +28,7 @@ export abstract class AzureResourceTreeNodeBase extends TreeNode {

 export abstract class AzureResourceContainerTreeNodeBase extends AzureResourceTreeNodeBase {
 	public constructor(
-		public readonly account: Account,
+		public readonly account: sqlops.Account,
 		treeChangeHandler: IAzureResourceTreeChangeHandler,
 		parent: TreeNode
 	) {
@@ -45,7 +45,7 @@ export abstract class AzureResourceContainerTreeNodeBase extends AzureResourceTr

 	protected async getCredentials(): Promise<ServiceClientCredentials[]> {
 		try {
-			return await this.servicePool.credentialService.getCredentials(this.account);
+			return await this.servicePool.credentialService.getCredentials(this.account, sqlops.AzureResource.ResourceManagement);
 		} catch (error) {
 			if (error instanceof AzureResourceCredentialError) {
 				this.servicePool.contextService.showErrorMessage(error.message);
--- a/extensions/azurecore/src/test/azureResource/tree/accountTreeNode.test.ts
+++ b/extensions/azurecore/src/test/azureResource/tree/accountTreeNode.test.ts
@@ -87,7 +87,7 @@ describe('AzureResourceAccountTreeNode.info', function(): void {
 		mockServicePool.subscriptionService = mockSubscriptionService.object;
 		mockServicePool.subscriptionFilterService = mockSubscriptionFilterService.object;

-		mockCredentialService.setup((o) => o.getCredentials(mockAccount)).returns(() => Promise.resolve(mockCredentials));
+		mockCredentialService.setup((o) => o.getCredentials(mockAccount, sqlops.AzureResource.ResourceManagement)).returns(() => Promise.resolve(mockCredentials));
 		mockCacheService.setup((o) => o.get(TypeMoq.It.isAnyString())).returns(() => mockSubscriptionCache);
 		mockCacheService.setup((o) => o.update(TypeMoq.It.isAnyString(), TypeMoq.It.isAny())).returns(() => mockSubscriptionCache.subscriptions[mockAccount.key.accountId] = mockSubscriptions);
 	});
@@ -164,7 +164,7 @@ describe('AzureResourceAccountTreeNode.getChildren', function(): void {
 		mockServicePool.subscriptionService = mockSubscriptionService.object;
 		mockServicePool.subscriptionFilterService = mockSubscriptionFilterService.object;

-		mockCredentialService.setup((o) => o.getCredentials(mockAccount)).returns(() => Promise.resolve(mockCredentials));
+		mockCredentialService.setup((o) => o.getCredentials(mockAccount, sqlops.AzureResource.ResourceManagement)).returns(() => Promise.resolve(mockCredentials));
 		mockCacheService.setup((o) => o.get(TypeMoq.It.isAnyString())).returns(() => mockSubscriptionCache);
 		mockCacheService.setup((o) => o.update(TypeMoq.It.isAnyString(), TypeMoq.It.isAny())).returns(() => mockSubscriptionCache.subscriptions[mockAccount.key.accountId] = mockSubscriptions);
 	});
@@ -177,7 +177,7 @@ describe('AzureResourceAccountTreeNode.getChildren', function(): void {

 		const children = await accountTreeNode.getChildren();

-		mockCredentialService.verify((o) => o.getCredentials(mockAccount), TypeMoq.Times.once());
+		mockCredentialService.verify((o) => o.getCredentials(mockAccount, sqlops.AzureResource.ResourceManagement), TypeMoq.Times.once());
 		mockSubscriptionService.verify((o) => o.getSubscriptions(mockAccount, mockCredentials), TypeMoq.Times.once());
 		mockCacheService.verify((o) => o.get(TypeMoq.It.isAnyString()), TypeMoq.Times.once());
 		mockCacheService.verify((o) => o.update(TypeMoq.It.isAnyString(), TypeMoq.It.isAny()), TypeMoq.Times.once());
@@ -213,7 +213,7 @@ describe('AzureResourceAccountTreeNode.getChildren', function(): void {
 		await accountTreeNode.getChildren();
 		const children = await accountTreeNode.getChildren();

-		mockCredentialService.verify((o) => o.getCredentials(mockAccount), TypeMoq.Times.exactly(1));
+		mockCredentialService.verify((o) => o.getCredentials(mockAccount, sqlops.AzureResource.ResourceManagement), TypeMoq.Times.exactly(1));
 		mockSubscriptionService.verify((o) => o.getSubscriptions(mockAccount, mockCredentials), TypeMoq.Times.exactly(1));
 		mockCacheService.verify((o) => o.get(TypeMoq.It.isAnyString()), TypeMoq.Times.exactly(2));
 		mockCacheService.verify((o) => o.update(TypeMoq.It.isAnyString(), TypeMoq.It.isAny()), TypeMoq.Times.exactly(1));
@@ -267,7 +267,7 @@ describe('AzureResourceAccountTreeNode.getChildren', function(): void {

 		const children = await accountTreeNode.getChildren();

-		mockCredentialService.verify((o) => o.getCredentials(mockAccount), TypeMoq.Times.once());
+		mockCredentialService.verify((o) => o.getCredentials(mockAccount, sqlops.AzureResource.ResourceManagement), TypeMoq.Times.once());
 		mockSubscriptionService.verify((o) => o.getSubscriptions(mockAccount, mockCredentials), TypeMoq.Times.once());
 		mockCacheService.verify((o) => o.get(TypeMoq.It.isAnyString()), TypeMoq.Times.never());
 		mockCacheService.verify((o) => o.update(TypeMoq.It.isAnyString(), TypeMoq.It.isAny()), TypeMoq.Times.never());
--- a/extensions/azurecore/src/test/azureResource/tree/databaseContainerTreeNode.test.ts
+++ b/extensions/azurecore/src/test/azureResource/tree/databaseContainerTreeNode.test.ts
@@ -118,7 +118,7 @@ describe('AzureResourceDatabaseContainerTreeNode.getChildren', function(): void
 		mockServicePool.credentialService = mockCredentialService.object;
 		mockServicePool.databaseService = mockDatabaseService.object;

-		mockCredentialService.setup((o) => o.getCredentials(mockAccount)).returns(() => Promise.resolve(mockCredentials));
+		mockCredentialService.setup((o) => o.getCredentials(mockAccount, sqlops.AzureResource.ResourceManagement)).returns(() => Promise.resolve(mockCredentials));
 		mockCacheService.setup((o) => o.get(TypeMoq.It.isAnyString())).returns(() => mockDatabaseContainerCache);
 		mockCacheService.setup((o) => o.update(TypeMoq.It.isAnyString(), TypeMoq.It.isAny())).returns(() => mockDatabaseContainerCache.databases[mockSubscription.id] = mockDatabases);
 	});
@@ -130,7 +130,7 @@ describe('AzureResourceDatabaseContainerTreeNode.getChildren', function(): void

 		const children = await databaseContainerTreeNode.getChildren();

-		mockCredentialService.verify((o) => o.getCredentials(mockAccount), TypeMoq.Times.once());
+		mockCredentialService.verify((o) => o.getCredentials(mockAccount, sqlops.AzureResource.ResourceManagement), TypeMoq.Times.once());
 		mockDatabaseService.verify((o) => o.getDatabases(mockSubscription, mockCredentials), TypeMoq.Times.once());
 		mockCacheService.verify((o) => o.get(TypeMoq.It.isAnyString()), TypeMoq.Times.once());
 		mockCacheService.verify((o) => o.update(TypeMoq.It.isAnyString(), TypeMoq.It.isAny()), TypeMoq.Times.once());
@@ -160,7 +160,7 @@ describe('AzureResourceDatabaseContainerTreeNode.getChildren', function(): void
 		await databaseContainerTreeNode.getChildren();
 		const children = await databaseContainerTreeNode.getChildren();

-		mockCredentialService.verify((o) => o.getCredentials(mockAccount), TypeMoq.Times.exactly(1));
+		mockCredentialService.verify((o) => o.getCredentials(mockAccount, sqlops.AzureResource.ResourceManagement), TypeMoq.Times.exactly(1));
 		mockDatabaseService.verify((o) => o.getDatabases(mockSubscription, mockCredentials), TypeMoq.Times.exactly(1));
 		mockCacheService.verify((o) => o.get(TypeMoq.It.isAnyString()), TypeMoq.Times.exactly(2));
 		mockCacheService.verify((o) => o.update(TypeMoq.It.isAnyString(), TypeMoq.It.isAny()), TypeMoq.Times.exactly(1));
@@ -193,7 +193,7 @@ describe('AzureResourceDatabaseContainerTreeNode.getChildren', function(): void
 		const databaseContainerTreeNode = new AzureResourceDatabaseContainerTreeNode(mockSubscription, mockAccount, mockTreeChangeHandler.object, undefined);
 		const children = await databaseContainerTreeNode.getChildren();

-		mockCredentialService.verify((o) => o.getCredentials(mockAccount), TypeMoq.Times.once());
+		mockCredentialService.verify((o) => o.getCredentials(mockAccount, sqlops.AzureResource.ResourceManagement), TypeMoq.Times.once());
 		mockDatabaseService.verify((o) => o.getDatabases(mockSubscription, mockCredentials), TypeMoq.Times.once());
 		mockCacheService.verify((o) => o.get(TypeMoq.It.isAnyString()), TypeMoq.Times.never());
 		mockCacheService.verify((o) => o.update(TypeMoq.It.isAnyString(), TypeMoq.It.isAny()), TypeMoq.Times.never());
--- a/extensions/azurecore/src/test/azureResource/tree/databaseServerContainerTreeNode.test.ts
+++ b/extensions/azurecore/src/test/azureResource/tree/databaseServerContainerTreeNode.test.ts
@@ -118,7 +118,7 @@ describe('AzureResourceDatabaseServerContainerTreeNode.getChildren', function():
 		mockServicePool.credentialService = mockCredentialService.object;
 		mockServicePool.databaseServerService = mockDatabaseServerService.object;

-		mockCredentialService.setup((o) => o.getCredentials(mockAccount)).returns(() => Promise.resolve(mockCredentials));
+		mockCredentialService.setup((o) => o.getCredentials(mockAccount, sqlops.AzureResource.ResourceManagement)).returns(() => Promise.resolve(mockCredentials));
 		mockCacheService.setup((o) => o.get(TypeMoq.It.isAnyString())).returns(() => mockDatabaseServerContainerCache);
 		mockCacheService.setup((o) => o.update(TypeMoq.It.isAnyString(), TypeMoq.It.isAny())).returns(() => mockDatabaseServerContainerCache.databaseServers[mockSubscription.id] = mockDatabaseServers);
 	});
@@ -130,7 +130,7 @@ describe('AzureResourceDatabaseServerContainerTreeNode.getChildren', function():

 		const children = await databaseServerContainerTreeNode.getChildren();

-		mockCredentialService.verify((o) => o.getCredentials(mockAccount), TypeMoq.Times.once());
+		mockCredentialService.verify((o) => o.getCredentials(mockAccount, sqlops.AzureResource.ResourceManagement), TypeMoq.Times.once());
 		mockDatabaseServerService.verify((o) => o.getDatabaseServers(mockSubscription, mockCredentials), TypeMoq.Times.once());
 		mockCacheService.verify((o) => o.get(TypeMoq.It.isAnyString()), TypeMoq.Times.once());
 		mockCacheService.verify((o) => o.update(TypeMoq.It.isAnyString(), TypeMoq.It.isAny()), TypeMoq.Times.once());
@@ -160,7 +160,7 @@ describe('AzureResourceDatabaseServerContainerTreeNode.getChildren', function():
 		await databaseServerContainerTreeNode.getChildren();
 		const children = await databaseServerContainerTreeNode.getChildren();

-		mockCredentialService.verify((o) => o.getCredentials(mockAccount), TypeMoq.Times.exactly(1));
+		mockCredentialService.verify((o) => o.getCredentials(mockAccount, sqlops.AzureResource.ResourceManagement), TypeMoq.Times.exactly(1));
 		mockDatabaseServerService.verify((o) => o.getDatabaseServers(mockSubscription, mockCredentials), TypeMoq.Times.exactly(1));
 		mockCacheService.verify((o) => o.get(TypeMoq.It.isAnyString()), TypeMoq.Times.exactly(2));
 		mockCacheService.verify((o) => o.update(TypeMoq.It.isAnyString(), TypeMoq.It.isAny()), TypeMoq.Times.exactly(1));
@@ -193,7 +193,7 @@ describe('AzureResourceDatabaseServerContainerTreeNode.getChildren', function():
 		const databaseServerContainerTreeNode = new AzureResourceDatabaseServerContainerTreeNode(mockSubscription, mockAccount, mockTreeChangeHandler.object, undefined);
 		const children = await databaseServerContainerTreeNode.getChildren();

-		mockCredentialService.verify((o) => o.getCredentials(mockAccount), TypeMoq.Times.once());
+		mockCredentialService.verify((o) => o.getCredentials(mockAccount, sqlops.AzureResource.ResourceManagement), TypeMoq.Times.once());
 		mockDatabaseServerService.verify((o) => o.getDatabaseServers(mockSubscription, mockCredentials), TypeMoq.Times.once());
 		mockCacheService.verify((o) => o.get(TypeMoq.It.isAnyString()), TypeMoq.Times.never());
 		mockCacheService.verify((o) => o.update(TypeMoq.It.isAnyString(), TypeMoq.It.isAny()), TypeMoq.Times.never());