def _get_and_write_certificate(cmd, public_key_file, cert_file, ssh_client_folder):
cloudtoscope = {
"azurecloud": "https://pas.windows.net/CheckMyAccess/Linux/.default",
"azurechinacloud": "https://pas.chinacloudapi.cn/CheckMyAccess/Linux/.default",
"azureusgovernment": "https://pasff.usgovcloudapi.net/CheckMyAccess/Linux/.default"
}
scope = cloudtoscope.get(cmd.cli_ctx.cloud.name.lower(), None)
if not scope:
raise azclierror.InvalidArgumentValueError(
f"Unsupported cloud {cmd.cli_ctx.cloud.name.lower()}",
"Supported clouds include azurecloud,azurechinacloud,azureusgovernment")
scopes = [scope]
data = _prepare_jwk_data(public_key_file)
from azure.cli.core._profile import Profile
profile = Profile(cli_ctx=cmd.cli_ctx)
# We currently are using the presence of get_msal_token to detect if we are running on an older azure cli client
# TODO: Remove when adal has been deprecated for a while
if hasattr(profile, "get_msal_token"):
# we used to use the username from the token but now we throw it away
_, certificate = profile.get_msal_token(scopes, data)
else:
credential, _, _ = profile.get_login_credentials(subscription_id=profile.get_subscription()["id"])
certificatedata = credential.get_token(*scopes, data=data)
certificate = certificatedata.token
if not cert_file:
cert_file = public_key_file + "-aadcert.pub"
logger.debug("Generating certificate %s", cert_file)
_write_cert_file(certificate, cert_file)
# instead we use the validprincipals from the cert due to mismatched upn and email in guest scenarios
username = ssh_utils.get_ssh_cert_principals(cert_file, ssh_client_folder)[0]
return cert_file, username.lower()
def _get_and_write_certificate(cmd, public_key_file, cert_file):
scopes = ["https://pas.windows.net/CheckMyAccess/Linux/user_impersonation"]
data = _prepare_jwk_data(public_key_file)
from azure.cli.core._profile import Profile
profile = Profile(cli_ctx=cmd.cli_ctx)
username, certificate = profile.get_msal_token(scopes, data)
if not cert_file:
cert_file = public_key_file + "-aadcert.pub"
return _write_cert_file(certificate, cert_file), username.lower()
def _get_and_write_certificate(cmd, public_key_file, cert_file):
scopes = ["https://pas.windows.net/CheckMyAccess/Linux/.default"]
data = _prepare_jwk_data(public_key_file)
from azure.cli.core._profile import Profile
profile = Profile(cli_ctx=cmd.cli_ctx)
# we used to use the username from the token but now we throw it away
_, certificate = profile.get_msal_token(scopes, data)
if not cert_file:
cert_file = public_key_file + "-aadcert.pub"
_write_cert_file(certificate, cert_file)
# instead we use the validprincipals from the cert due to mismatched upn and email in guest scenarios
username = ssh_utils.get_ssh_cert_principals(cert_file)[0]
return cert_file, username.lower()
def _do_ssh_op(cmd, resource_group, vm_name, ssh_ip, public_key_file, private_key_file, op_call):
_assert_args(resource_group, vm_name, ssh_ip)
public_key_file, private_key_file = _check_public_private_files(public_key_file, private_key_file)
ssh_ip = ssh_ip or ip_utils.get_ssh_ip(cmd, resource_group, vm_name)
if not ssh_ip:
raise util.CLIError(f"VM '{vm_name}' does not have a public IP address to SSH to")
scopes = ["https://pas.windows.net/CheckMyAccess/Linux/user_impersonation"]
data = _prepare_jwk_data(public_key_file)
from azure.cli.core._profile import Profile
profile = Profile(cli_ctx=cmd.cli_ctx)
username, certificate = profile.get_msal_token(scopes, data)
cert_file = _write_cert_file(public_key_file, certificate)
op_call(ssh_ip, username, cert_file, private_key_file)
