forked from microsoft/codespace-features
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathaz
More file actions
113 lines (102 loc) · 4 KB
/
az
File metadata and controls
113 lines (102 loc) · 4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#!/bin/bash
# Azure CLI shim for GitHub Codespaces
# Intercepts 'az account get-access-token' requests and uses azure-auth-helper
# to acquire tokens via the ado-codespaces-auth VS Code extension.
# If ACTIONS_ID_TOKEN_REQUEST_URL is set, we are in GitHub Actions - skip interception
if [ -n "${ACTIONS_ID_TOKEN_REQUEST_URL}" ]; then
source "$(dirname "$0")"/resolve-shim.sh
AZ_EXE="$(resolve_shim)"
exec "${AZ_EXE}" "$@"
fi
source "$(dirname "$0")"/resolve-shim.sh
# Well-known resource type mappings (az account get-access-token --resource-type)
declare -A RESOURCE_TYPE_MAP=(
["arm"]="https://management.azure.com"
["aad-graph"]="https://graph.windows.net"
["ms-graph"]="https://graph.microsoft.com"
["batch"]="https://batch.core.windows.net"
["data-lake"]="https://datalake.azure.net"
["media"]="https://rest.media.azure.net"
["oss-rdbms"]="https://ossrdbms-aad.database.windows.net"
)
# Check if this is a get-access-token request that we should intercept
if [[ "$1" == "account" && "$2" == "get-access-token" ]]; then
resource=""
scope=""
resource_type=""
prev=""
for arg in "${@:3}"; do
case "$arg" in
--resource=*) resource="${arg#--resource=}" ;;
--scope=*) scope="${arg#--scope=}" ;;
--resource-type=*) resource_type="${arg#--resource-type=}" ;;
*)
case "$prev" in
--resource) resource="$arg" ;;
--scope) scope="$arg" ;;
--resource-type) resource_type="$arg" ;;
esac
;;
esac
prev="$arg"
done
# Resolve resource-type to resource URL if specified
if [[ -n "$resource_type" && -z "$resource" ]]; then
resource="${RESOURCE_TYPE_MAP[$resource_type]}"
fi
# Determine the scope to request
request_scope=""
if [[ -n "$scope" ]]; then
request_scope="$scope"
elif [[ -n "$resource" ]]; then
if [[ "$resource" == *"/.default" ]]; then
request_scope="$resource"
else
request_scope="${resource}/.default"
fi
fi
# If we have a scope and azure-auth-helper exists, use it
if [[ -n "$request_scope" && -f "${HOME}/azure-auth-helper" ]]; then
token=$("${HOME}/azure-auth-helper" get-access-token "$request_scope" 2>/dev/null)
if [[ $? -eq 0 && -n "$token" ]]; then
# Escape token for safe JSON embedding (handle backslashes and quotes)
escaped_token="${token//\\/\\\\}"
escaped_token="${escaped_token//\"/\\\"}"
# Calculate expiry timestamps (conservative 1 hour estimate)
# expires_on = POSIX timestamp, expiresOn = local datetime
if date --version >/dev/null 2>&1; then
# GNU date (Linux)
expires_on=$(date -d "+1 hour" "+%s")
expires_on_datetime=$(date -d "+1 hour" "+%Y-%m-%d %H:%M:%S.000000")
else
# BSD date (macOS)
expires_on=$(date -v+1H "+%s")
expires_on_datetime=$(date -v+1H "+%Y-%m-%d %H:%M:%S.000000")
fi
# Return in az CLI JSON format (matching real az CLI output)
cat <<EOF
{
"accessToken": "${escaped_token}",
"expiresOn": "${expires_on_datetime}",
"expires_on": ${expires_on},
"subscription": "",
"tenant": "",
"tokenType": "Bearer"
}
EOF
exit 0
fi
fi
fi
# Fall through to real az CLI for all other commands
AZ_EXE="$(resolve_shim)"
if [[ -n "$AZ_EXE" ]]; then
# If AZURE_DEVOPS_EXT_PAT is not already set, try to acquire it from ado-auth-helper
# so that 'az' commands that interact with azure devops authenticate automatically.
# Examples are things like: `az devops`, `az boards`, `az pipelines`, `az repos`, `az artifacts`, etc.
AZURE_DEVOPS_EXT_PAT="${AZURE_DEVOPS_EXT_PAT:-$("${HOME}/ado-auth-helper" get-access-token 2>/dev/null)}" \
exec "${AZ_EXE}" "$@"
else
echo "Error: Azure CLI not found in PATH" >&2
exit 1
fi