func()

in client/internal/bootstrap/auth.go [33:86]

• 47 lines of code
• 11 McCabe index (conditional complexity)

func (c *Client) getAccessToken(customClientID, resource string, azureConfig *datamodel.AzureConfig) (string, error) {
	userAssignedID := azureConfig.UserAssignedIdentityID
	if customClientID != "" {
		userAssignedID = customClientID
	}

	if userAssignedID != "" {
		c.logger.Info("generating MSI access token", zap.String("clientId", userAssignedID))
		token, err := adal.NewServicePrincipalTokenFromManagedIdentity(resource, &adal.ManagedIdentityOptions{
			ClientID: userAssignedID,
		})
		if err != nil {
			return "", fmt.Errorf("generating MSI access token: %w", err)
		}
		return c.extractAccessTokenFunc(token)
	}

	env, err := azure.EnvironmentFromName(azureConfig.Cloud)
	if err != nil {
		return "", fmt.Errorf("getting azure environment config for cloud %q: %w", azureConfig.Cloud, err)
	}
	oauthConfig, err := adal.NewOAuthConfig(env.ActiveDirectoryEndpoint, azureConfig.TenantID)
	if err != nil {
		return "", fmt.Errorf("creating oauth config with azure environment: %w", err)
	}

	if !strings.HasPrefix(azureConfig.ClientSecret, certificateSecretPrefix) {
		c.logger.Info("generating SPN access token with username and password", zap.String("clientId", azureConfig.ClientID))
		token, err := adal.NewServicePrincipalToken(*oauthConfig, azureConfig.ClientID, azureConfig.ClientSecret, resource)
		if err != nil {
			return "", fmt.Errorf("generating SPN access token with username and password: %w", err)
		}
		return c.extractAccessTokenFunc(token)
	}

	c.logger.Info("client secret contains certificate data, using certificate to generate SPN access token", zap.String("clientId", azureConfig.ClientID))

	certData, err := base64.StdEncoding.DecodeString(strings.TrimPrefix(azureConfig.ClientSecret, certificateSecretPrefix))
	if err != nil {
		return "", fmt.Errorf("b64-decoding certificate data in client secret: %w", err)
	}
	certificate, privateKey, err := adal.DecodePfxCertificateData(certData, "")
	if err != nil {
		return "", fmt.Errorf("decoding pfx certificate data in client secret: %w", err)
	}

	c.logger.Info("generating SPN access token with certificate", zap.String("clientId", azureConfig.ClientID))
	token, err := adal.NewServicePrincipalTokenFromCertificate(*oauthConfig, azureConfig.ClientID, certificate, privateKey, resource)
	if err != nil {
		return "", fmt.Errorf("generating SPN access token with certificate: %w", err)
	}

	return c.extractAccessTokenFunc(token)
}