feat(azure): add OIDC/Workload Identity Federation authentication support#11389
Open
mdoukan wants to merge 5 commits into
Open
feat(azure): add OIDC/Workload Identity Federation authentication support#11389mdoukan wants to merge 5 commits into
mdoukan wants to merge 5 commits into
Conversation
…heck Projects covered by an organisation-level Cloud Logging sink with includeChildren=True were incorrectly reported as FAIL because the service only queried project-scoped sinks. Changes: - Add `include_children: bool = False` field to the `Sink` model so org/folder-level sinks can be distinguished from project-level ones. - Add `Logging._get_org_sinks()` which fetches sinks for every organisation found in the scanned projects and appends them to `self.sinks` with `project_id="organizations/<id>"`. - Update `logging_sink_created.execute()` to pass a project when its organisation has an aggregated sink with `includeChildren=True`, even if no project-scoped sink exists. - Add three new test cases covering the org-level-sink PASS path, the no-include-children FAIL path, and the project-sink-takes-precedence case. - Fix two existing MagicMock sink tests that did not set `include_children`, which would have caused false positives with the new logic. Closes prowler-cloud#11343 Signed-off-by: Oleksandr Sanin <alexaaander.sanin@gmail.com>
…port Implements Azure provider support for OIDC (Workload Identity Federation) authentication, enabling Prowler to run in security-strict production environments where static client secrets are prohibited. Closes prowler-cloud#11386 Changes: - Add --oidc-auth CLI flag as a new mutually exclusive authentication mode - Add AzureOIDCTokenMissingError exception (code: 2024) for missing env vars - Add check_oidc_creds_env_vars() static method to validate required env vars - Add oidc_auth parameter to __init__, validate_arguments, setup_session, setup_identity and test_connection methods - Use ClientAssertionCredential with a lazy token callback that reads AZURE_FEDERATED_TOKEN (falling back to AZURE_OIDC_TOKEN) at runtime - Identity type reported as 'Service Principal (OIDC)' for OIDC sessions - Add TestAzureProviderOIDCAuth test class with 7 unit tests covering missing env vars, token fallback, successful session setup and test_connection flow Usage: export AZURE_CLIENT_ID="..." export AZURE_TENANT_ID="..." export AZURE_FEDERATED_TOKEN="eyJra..." # or AZURE_OIDC_TOKEN prowler azure --oidc-auth
github-actions
Bot
added
the
provider/azure
Contributor
|
✅ Conflict Markers Resolved All conflict markers have been successfully resolved in this pull request. |
…tests - Run black on logging_service.py and logging_sink_created.py to satisfy the sdk-code-quality CI check (collapsed single-arg call, wrapped long ternary). - Add changelog entry for the logging_sink_created false-FAIL fix. - Add two unit tests for Logging._get_org_sinks(): one verifying that org-level sinks are fetched when projects have an organisation, and one confirming nothing is added when no organisation is present. These cover the 10 previously uncovered lines flagged by Codecov. Signed-off-by: Oleksandr Sanin <alexaaander.sanin@gmail.com>
# Conflicts: # prowler/CHANGELOG.md
github-actions
Bot
added
the
provider/gcp
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR implements Azure OIDC (Workload Identity Federation) authentication support, resolving #11386.
The Azure provider previously only supported static
AZURE_CLIENT_SECRET. In production environments where static secrets are prohibited by security policy, Prowler was unusable. This PR adds a new--oidc-authmode using short-lived JWT tokens.Changes
arguments.py: Add--oidc-authCLI flag as a new mutually exclusive authentication modeexceptions.py: AddAzureOIDCTokenMissingErrorexception (error code2024)azure_provider.py:oidc_authparameter to__init__,validate_arguments,setup_session,setup_identity,test_connectioncheck_oidc_creds_env_vars()static methodClientAssertionCredentialwith a lazy token callback (readsAZURE_FEDERATED_TOKEN, falling back toAZURE_OIDC_TOKEN)Service Principal (OIDC)tests/providers/azure/azure_provider_test.py: AddTestAzureProviderOIDCAuthclass with 7 unit testsUsage
Notes
ClientAssertionCredentialis already part ofazure-identity--sp-env-authmode is unchangedCloses #11386