func newAuthenticatorPolicy()

in pkg/dataplane/authenticator.go [22:56]

• 25 lines of code
• 3 McCabe index (conditional complexity)

func newAuthenticatorPolicy(cred azcore.TokenCredential, audience string) policy.Policy {
	return runtime.NewBearerTokenPolicy(cred, nil, &policy.BearerTokenOptions{
		AuthorizationHandler: policy.AuthorizationHandler{
			// Make an unauthenticated request
			OnRequest: func(*policy.Request, func(policy.TokenRequestOptions) error) error {
				return nil
			},
			// Inspect WWW-Authenticate header returned from challenge
			OnChallenge: func(req *policy.Request, resp *http.Response, authenticateAndAuthorize func(policy.TokenRequestOptions) error) error {
				// we expect 'Bearer authorization="https://login.windows-ppe.net/5D929AE3-B37C-46AA-A3C8-C1558902F101"'
				authParam, err := parseChallengeHeader(resp.Header)
				if err != nil {
					return err
				}

				u, err := url.Parse(authParam)
				if err != nil {
					return fmt.Errorf("%w: %w", errInvalidAuthHeader, err)
				}
				tenantID := strings.ToLower(strings.Trim(u.Path, "/"))

				req.Raw().Context()

				// Note: "In api versions prior to 2023-09-30, the audience is included in the bearer challenge, but we recommend that partners
				// rely on hard-configuring the explicit values above for security reasons."

				// Authenticate from tenantID and audience
				return authenticateAndAuthorize(policy.TokenRequestOptions{
					Scopes:   []string{audience + "/.default"},
					TenantID: tenantID,
				})
			},
		},
	})
}