def _get_and_write_certificate(cmd, public_key_file, cert_file, ssh_client_folder): cloudtoscope = { "azurecloud": "https://pas.windows.net/CheckMyAccess/Linux/.default", "azurechinacloud": "https://pas.chinacloudapi.cn/CheckMyAccess/Linux/.default", "azureusgovernment": "https://pasff.usgovcloudapi.net/CheckMyAccess/Linux/.default" } scope = cloudtoscope.get(cmd.cli_ctx.cloud.name.lower(), None) if not scope: raise azclierror.InvalidArgumentValueError( f"Unsupported cloud {cmd.cli_ctx.cloud.name.lower()}", "Supported clouds include azurecloud,azurechinacloud,azureusgovernment") scopes = [scope] data = _prepare_jwk_data(public_key_file) from azure.cli.core._profile import Profile profile = Profile(cli_ctx=cmd.cli_ctx) # We currently are using the presence of get_msal_token to detect if we are running on an older azure cli client # TODO: Remove when adal has been deprecated for a while if hasattr(profile, "get_msal_token"): # we used to use the username from the token but now we throw it away _, certificate = profile.get_msal_token(scopes, data) else: credential, _, _ = profile.get_login_credentials(subscription_id=profile.get_subscription()["id"]) certificatedata = credential.get_token(*scopes, data=data) certificate = certificatedata.token if not cert_file: cert_file = public_key_file + "-aadcert.pub" logger.debug("Generating certificate %s", cert_file) _write_cert_file(certificate, cert_file) # instead we use the validprincipals from the cert due to mismatched upn and email in guest scenarios username = ssh_utils.get_ssh_cert_principals(cert_file, ssh_client_folder)[0] return cert_file, username.lower()
def _get_and_write_certificate(cmd, public_key_file, cert_file): scopes = ["https://pas.windows.net/CheckMyAccess/Linux/user_impersonation"] data = _prepare_jwk_data(public_key_file) from azure.cli.core._profile import Profile profile = Profile(cli_ctx=cmd.cli_ctx) username, certificate = profile.get_msal_token(scopes, data) if not cert_file: cert_file = public_key_file + "-aadcert.pub" return _write_cert_file(certificate, cert_file), username.lower()
def _get_and_write_certificate(cmd, public_key_file, cert_file): scopes = ["https://pas.windows.net/CheckMyAccess/Linux/.default"] data = _prepare_jwk_data(public_key_file) from azure.cli.core._profile import Profile profile = Profile(cli_ctx=cmd.cli_ctx) # we used to use the username from the token but now we throw it away _, certificate = profile.get_msal_token(scopes, data) if not cert_file: cert_file = public_key_file + "-aadcert.pub" _write_cert_file(certificate, cert_file) # instead we use the validprincipals from the cert due to mismatched upn and email in guest scenarios username = ssh_utils.get_ssh_cert_principals(cert_file)[0] return cert_file, username.lower()
def _do_ssh_op(cmd, resource_group, vm_name, ssh_ip, public_key_file, private_key_file, op_call): _assert_args(resource_group, vm_name, ssh_ip) public_key_file, private_key_file = _check_public_private_files(public_key_file, private_key_file) ssh_ip = ssh_ip or ip_utils.get_ssh_ip(cmd, resource_group, vm_name) if not ssh_ip: raise util.CLIError(f"VM '{vm_name}' does not have a public IP address to SSH to") scopes = ["https://pas.windows.net/CheckMyAccess/Linux/user_impersonation"] data = _prepare_jwk_data(public_key_file) from azure.cli.core._profile import Profile profile = Profile(cli_ctx=cmd.cli_ctx) username, certificate = profile.get_msal_token(scopes, data) cert_file = _write_cert_file(public_key_file, certificate) op_call(ssh_ip, username, cert_file, private_key_file)