v10.0.0, merge branch 'dev'

Author: jhendrixMSFT

.travis.yml

@@ -5,14 +5,13 @@ language: go
 go:
   - 1.9
   - 1.8
-  - 1.7
 
 install:
   - go get -u github.com/golang/lint/golint
-  - go get -u github.com/Masterminds/glide
+  - go get -u github.com/golang/dep/cmd/dep
   - go get -u github.com/stretchr/testify
   - go get -u github.com/GoASTScanner/gas
-  - glide install
+  - dep ensure
 
 script:
   - grep -L -r --include *.go --exclude-dir vendor -P "Copyright (\d{4}|\(c\)) Microsoft" ./ | tee /dev/stderr | test -z "$(< /dev/stdin)"

CHANGELOG.md

@@ -1,5 +1,27 @@
 # CHANGELOG
 
+## v10.0.0
+
+### New Features
+
+- Added target and innererror fields to ServiceError to comply with OData v4 spec.
+- The Done() method on futures will now return a ServiceError object when available (it used to return a partial value of such errors).
+- Added helper methods for obtaining authorizers.
+- Expose the polling URL for futures.
+
+### Bug Fixes
+
+- Switched from glide to dep for dependency management.
+- Fixed unmarshaling of ServiceError for JSON bodies that don't conform to the OData spec.
+- Fixed a race condition in token refresh.
+
+### Breaking Changes
+
+- The ServiceError.Details field type has been changed to match the OData v4 spec.
+- Go v1.7 has been dropped from CI.
+- API parameter validation failures will now return a unique error type validation.Error.
+- The adal.Token type has been decomposed from adal.ServicePrincipalToken (this was necessary in order to fix the token refresh race).
+
 ## v9.10.0
 - Fix the Service Bus suffix in Azure public env
 - Add Service Bus Endpoint (AAD ResourceURI) for use in [Azure Service Bus RBAC Preview](https://docs.microsoft.com/en-us/azure/service-bus-messaging/service-bus-role-based-access-control)

Gopkg.lock

@@ -0,0 +1,41 @@
+# Gopkg.toml example
+#
+# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
+# for detailed Gopkg.toml documentation.
+#
+# required = ["github.com/user/thing/cmd/thing"]
+# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
+#
+# [[constraint]]
+#   name = "github.com/user/project"
+#   version = "1.0.0"
+#
+# [[constraint]]
+#   name = "github.com/user/project2"
+#   branch = "dev"
+#   source = "github.com/myfork/project2"
+#
+# [[override]]
+#  name = "github.com/x/y"
+#  version = "2.4.0"
+
+
+[[constraint]]
+  name = "github.com/dgrijalva/jwt-go"
+  version = "3.1.0"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/dimchansky/utfbom"
+
+[[constraint]]
+  branch = "master"
+  name = "github.com/mitchellh/go-homedir"
+
+[[constraint]]
+  name = "github.com/stretchr/testify"
+  version = "1.2.0"
+
+[[constraint]]
+  branch = "master"
+  name = "golang.org/x/crypto"

Gopkg.toml

@@ -281,7 +281,7 @@ func main() {
 			resource,
 			callback)
 		if err == nil {
-			err = saveToken(spt.Token)
+			err = saveToken(spt.Token())
 		}
 	case refreshMode:
 		_, err = refreshToken(

autorest/adal/cmd/adal.go

@@ -243,16 +243,15 @@ func (secret *ServicePrincipalCertificateSecret) SetAuthenticationValues(spt *Se
 
 // ServicePrincipalToken encapsulates a Token created for a Service Principal.
 type ServicePrincipalToken struct {
-	Token
-
-	secret          ServicePrincipalSecret
-	oauthConfig     OAuthConfig
-	clientID        string
-	resource        string
-	autoRefresh     bool
-	autoRefreshLock *sync.Mutex
-	refreshWithin   time.Duration
-	sender          Sender
+	token         Token
+	secret        ServicePrincipalSecret
+	oauthConfig   OAuthConfig
+	clientID      string
+	resource      string
+	autoRefresh   bool
+	refreshLock   *sync.RWMutex
+	refreshWithin time.Duration
+	sender        Sender
 
 	refreshCallbacks []TokenRefreshCallback
 }
@@ -284,7 +283,7 @@ func NewServicePrincipalTokenWithSecret(oauthConfig OAuthConfig, id string, reso
 		clientID:         id,
 		resource:         resource,
 		autoRefresh:      true,
-		autoRefreshLock:  &sync.Mutex{},
+		refreshLock:      &sync.RWMutex{},
 		refreshWithin:    defaultRefresh,
 		sender:           &http.Client{},
 		refreshCallbacks: callbacks,
@@ -316,7 +315,7 @@ func NewServicePrincipalTokenFromManualToken(oauthConfig OAuthConfig, clientID s
 		return nil, err
 	}
 
-	spt.Token = token
+	spt.token = token
 
 	return spt, nil
 }
@@ -502,7 +501,7 @@ func newServicePrincipalTokenFromMSI(msiEndpoint, resource string, userAssignedI
 		secret:           &ServicePrincipalMSISecret{},
 		resource:         resource,
 		autoRefresh:      true,
-		autoRefreshLock:  &sync.Mutex{},
+		refreshLock:      &sync.RWMutex{},
 		refreshWithin:    defaultRefresh,
 		sender:           &http.Client{},
 		refreshCallbacks: callbacks,
@@ -538,12 +537,12 @@ func newTokenRefreshError(message string, resp *http.Response) TokenRefreshError
 // EnsureFresh will refresh the token if it will expire within the refresh window (as set by
 // RefreshWithin) and autoRefresh flag is on.  This method is safe for concurrent use.
 func (spt *ServicePrincipalToken) EnsureFresh() error {
-	if spt.autoRefresh && spt.WillExpireIn(spt.refreshWithin) {
-		// take the lock then check to see if the token was already refreshed
-		spt.autoRefreshLock.Lock()
-		defer spt.autoRefreshLock.Unlock()
-		if spt.WillExpireIn(spt.refreshWithin) {
-			return spt.Refresh()
+	if spt.autoRefresh && spt.token.WillExpireIn(spt.refreshWithin) {
+		// take the write lock then check to see if the token was already refreshed
+		spt.refreshLock.Lock()
+		defer spt.refreshLock.Unlock()
+		if spt.token.WillExpireIn(spt.refreshWithin) {
+			return spt.refreshInternal(spt.resource)
 		}
 	}
 	return nil
@@ -553,7 +552,7 @@ func (spt *ServicePrincipalToken) EnsureFresh() error {
 func (spt *ServicePrincipalToken) InvokeRefreshCallbacks(token Token) error {
 	if spt.refreshCallbacks != nil {
 		for _, callback := range spt.refreshCallbacks {
-			err := callback(spt.Token)
+			err := callback(spt.token)
 			if err != nil {
 				return fmt.Errorf("adal: TokenRefreshCallback handler failed. Error = '%v'", err)
 			}
@@ -565,12 +564,16 @@ func (spt *ServicePrincipalToken) InvokeRefreshCallbacks(token Token) error {
 // Refresh obtains a fresh token for the Service Principal.
 // This method is not safe for concurrent use and should be syncrhonized.
 func (spt *ServicePrincipalToken) Refresh() error {
+	spt.refreshLock.Lock()
+	defer spt.refreshLock.Unlock()
 	return spt.refreshInternal(spt.resource)
 }
 
 // RefreshExchange refreshes the token, but for a different resource.
 // This method is not safe for concurrent use and should be syncrhonized.
 func (spt *ServicePrincipalToken) RefreshExchange(resource string) error {
+	spt.refreshLock.Lock()
+	defer spt.refreshLock.Unlock()
 	return spt.refreshInternal(resource)
 }
 
@@ -590,9 +593,9 @@ func (spt *ServicePrincipalToken) refreshInternal(resource string) error {
 	v.Set("client_id", spt.clientID)
 	v.Set("resource", resource)
 
-	if spt.RefreshToken != "" {
+	if spt.token.RefreshToken != "" {
 		v.Set("grant_type", OAuthGrantTypeRefreshToken)
-		v.Set("refresh_token", spt.RefreshToken)
+		v.Set("refresh_token", spt.token.RefreshToken)
 	} else {
 		v.Set("grant_type", spt.getGrantType())
 		err := spt.secret.SetAuthenticationValues(spt, &v)
@@ -640,7 +643,7 @@ func (spt *ServicePrincipalToken) refreshInternal(resource string) error {
 		return fmt.Errorf("adal: Failed to unmarshal the service principal token during refresh. Error = '%v' JSON = '%s'", err, string(rb))
 	}
 
-	spt.Token = token
+	spt.token = token
 
 	return spt.InvokeRefreshCallbacks(token)
 }
@@ -660,3 +663,17 @@ func (spt *ServicePrincipalToken) SetRefreshWithin(d time.Duration) {
 // SetSender sets the http.Client used when obtaining the Service Principal token. An
 // undecorated http.Client is used by default.
 func (spt *ServicePrincipalToken) SetSender(s Sender) { spt.sender = s }
+
+// OAuthToken implements the OAuthTokenProvider interface.  It returns the current access token.
+func (spt *ServicePrincipalToken) OAuthToken() string {
+	spt.refreshLock.RLock()
+	defer spt.refreshLock.RUnlock()
+	return spt.token.OAuthToken()
+}
+
+// Token returns a copy of the current token.
+func (spt *ServicePrincipalToken) Token() Token {
+	spt.refreshLock.RLock()
+	defer spt.refreshLock.RUnlock()
+	return spt.token
+}

autorest/adal/token.go

@@ -445,20 +445,20 @@ func TestServicePrincipalTokenRefreshUnmarshals(t *testing.T) {
 	err := spt.Refresh()
 	if err != nil {
 		t.Fatalf("adal: ServicePrincipalToken#Refresh returned an unexpected error (%v)", err)
-	} else if spt.AccessToken != "accessToken" ||
-		spt.ExpiresIn != "3600" ||
-		spt.ExpiresOn != expiresOn ||
-		spt.NotBefore != expiresOn ||
-		spt.Resource != "resource" ||
-		spt.Type != "Bearer" {
+	} else if spt.token.AccessToken != "accessToken" ||
+		spt.token.ExpiresIn != "3600" ||
+		spt.token.ExpiresOn != expiresOn ||
+		spt.token.NotBefore != expiresOn ||
+		spt.token.Resource != "resource" ||
+		spt.token.Type != "Bearer" {
 		t.Fatalf("adal: ServicePrincipalToken#Refresh failed correctly unmarshal the JSON -- expected %v, received %v",
 			j, *spt)
 	}
 }
 
 func TestServicePrincipalTokenEnsureFreshRefreshes(t *testing.T) {
 	spt := newServicePrincipalToken()
-	expireToken(&spt.Token)
+	expireToken(&spt.token)
 
 	body := mocks.NewBody(newTokenJSON("test", "test"))
 	resp := mocks.NewResponseWithBodyAndStatus(body, http.StatusOK, "OK")
@@ -486,7 +486,7 @@ func TestServicePrincipalTokenEnsureFreshRefreshes(t *testing.T) {
 
 func TestServicePrincipalTokenEnsureFreshSkipsIfFresh(t *testing.T) {
 	spt := newServicePrincipalToken()
-	setTokenToExpireIn(&spt.Token, 1000*time.Second)
+	setTokenToExpireIn(&spt.token, 1000*time.Second)
 
 	f := false
 	c := mocks.NewSender()
@@ -553,7 +553,7 @@ func TestRefreshCallbackErrorPropagates(t *testing.T) {
 // This demonstrates the danger of manual token without a refresh token
 func TestServicePrincipalTokenManualRefreshFailsWithoutRefresh(t *testing.T) {
 	spt := newServicePrincipalTokenManual()
-	spt.RefreshToken = ""
+	spt.token.RefreshToken = ""
 	err := spt.Refresh()
 	if err == nil {
 		t.Fatalf("adal: ServicePrincipalToken#Refresh should have failed with a ManualTokenSecret without a refresh token")

autorest/adal/token_test.go

@@ -75,7 +75,7 @@ func TestServicePrincipalTokenWithAuthorizationNoRefresh(t *testing.T) {
 	req, err := Prepare(mocks.NewRequest(), ba.WithAuthorization())
 	if err != nil {
 		t.Fatalf("azure: BearerAuthorizer#WithAuthorization returned an error (%v)", err)
-	} else if req.Header.Get(http.CanonicalHeaderKey("Authorization")) != fmt.Sprintf("Bearer %s", spt.AccessToken) {
+	} else if req.Header.Get(http.CanonicalHeaderKey("Authorization")) != fmt.Sprintf("Bearer %s", spt.OAuthToken()) {
 		t.Fatal("azure: BearerAuthorizer#WithAuthorization failed to set Authorization header")
 	}
 }
@@ -120,7 +120,7 @@ func TestServicePrincipalTokenWithAuthorizationRefresh(t *testing.T) {
 	req, err := Prepare(mocks.NewRequest(), ba.WithAuthorization())
 	if err != nil {
 		t.Fatalf("azure: BearerAuthorizer#WithAuthorization returned an error (%v)", err)
-	} else if req.Header.Get(http.CanonicalHeaderKey("Authorization")) != fmt.Sprintf("Bearer %s", spt.AccessToken) {
+	} else if req.Header.Get(http.CanonicalHeaderKey("Authorization")) != fmt.Sprintf("Bearer %s", spt.OAuthToken()) {
 		t.Fatal("azure: BearerAuthorizer#WithAuthorization failed to set Authorization header")
 	}