fix: use HasSuffix check for generating scope (#660)

Signed-off-by: Anish Ramasekar <[email protected]>
Azure · Dec 9, 2022 · 7e807f7 · 7e807f7
1 parent b52c7f9
commit 7e807f7
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 11 deletions.
diff --git a/pkg/proxy/proxy.go b/pkg/proxy/proxy.go
@@ -191,17 +191,7 @@ func doTokenRequest(ctx context.Context, clientID, resource, tenantID, authority
 		return nil, errors.Wrap(err, "failed to create confidential client app")
 	}
 
-	// ref: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/747
-	// For MSAL (v2.0 endpoint) asking an access token for a resource that accepts a v1.0 access token,
-	// Azure AD parses the desired audience from the requested scope by taking everything before the
-	// last slash and using it as the resource identifier.
-	// For example, if the scope is "https://vault.azure.net/.default", the resource identifier is "https://vault.azure.net".
-	// If the scope is "http://database.windows.net//.default", the resource identifier is "http://database.windows.net/".
-	scope := resource
-	if !strings.HasPrefix(scope, "/.default") {
-		scope = scope + "/.default"
-	}
-	result, err := confidentialClientApp.AcquireTokenByCredential(ctx, []string{scope})
+	result, err := confidentialClientApp.AcquireTokenByCredential(ctx, []string{getScope(resource)})
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to acquire token")
 	}
@@ -243,3 +233,16 @@ func readJWTFromFS(tokenFilePath string) (string, error) {
 	}
 	return string(token), nil
 }
+
+// ref: https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/747
+// For MSAL (v2.0 endpoint) asking an access token for a resource that accepts a v1.0 access token,
+// Azure AD parses the desired audience from the requested scope by taking everything before the
+// last slash and using it as the resource identifier.
+// For example, if the scope is "https://vault.azure.net/.default", the resource identifier is "https://vault.azure.net".
+// If the scope is "http://database.windows.net//.default", the resource identifier is "http://database.windows.net/".
+func getScope(resource string) string {
+	if !strings.HasSuffix(resource, "/.default") {
+		resource = resource + "/.default"
+	}
+	return resource
+}
diff --git a/pkg/proxy/proxy_test.go b/pkg/proxy/proxy_test.go
@@ -307,3 +307,36 @@ func TestProxy_ReadyZHandler(t *testing.T) {
 		})
 	}
 }
+
+func TestGetScope(t *testing.T) {
+	tests := []struct {
+		name     string
+		scope    string
+		expected string
+	}{
+		{
+			name:     "resource doesn't have /.default suffix",
+			scope:    "https://vault.azure.net",
+			expected: "https://vault.azure.net/.default",
+		},
+		{
+			name:     "resource has /.default suffix",
+			scope:    "https://vault.azure.net/.default",
+			expected: "https://vault.azure.net/.default",
+		},
+		{
+			name:     "resource doesn't  have /.default suffix and has trailing slash",
+			scope:    "https://vault.azure.net/",
+			expected: "https://vault.azure.net//.default",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			scope := getScope(test.scope)
+			if scope != test.expected {
+				t.Errorf("expected scope %s, got %s", test.expected, scope)
+			}
+		})
+	}
+}