feat(azure): add experimental Azure endpoint support (#1936)

api/http/proxy/azure_transport.go

@@ -0,0 +1,81 @@
+package proxy
+
+import (
+	"net/http"
+	"strconv"
+	"sync"
+	"time"
+
+	"github.com/portainer/portainer"
+	"github.com/portainer/portainer/http/client"
+)
+
+type (
+	azureAPIToken struct {
+		value          string
+		expirationTime time.Time
+	}
+
+	// AzureTransport represents a transport used when executing HTTP requests
+	// against the Azure API.
+	AzureTransport struct {
+		credentials *portainer.AzureCredentials
+		client      *client.HTTPClient
+		token       *azureAPIToken
+		mutex       sync.Mutex
+	}
+)
+
+// NewAzureTransport returns a pointer to an AzureTransport instance.
+func NewAzureTransport(credentials *portainer.AzureCredentials) *AzureTransport {
+	return &AzureTransport{
+		credentials: credentials,
+		client:      client.NewHTTPClient(),
+	}
+}
+
+func (transport *AzureTransport) authenticate() error {
+	token, err := transport.client.ExecuteAzureAuthenticationRequest(transport.credentials)
+	if err != nil {
+		return err
+	}
+
+	expiresOn, err := strconv.ParseInt(token.ExpiresOn, 10, 64)
+	if err != nil {
+		return err
+	}
+
+	transport.token = &azureAPIToken{
+		value:          token.AccessToken,
+		expirationTime: time.Unix(expiresOn, 0),
+	}
+
+	return nil
+}
+
+func (transport *AzureTransport) retrieveAuthenticationToken() error {
+	transport.mutex.Lock()
+	defer transport.mutex.Unlock()
+
+	if transport.token == nil {
+		return transport.authenticate()
+	}
+
+	timeLimit := time.Now().Add(-5 * time.Minute)
+	if timeLimit.After(transport.token.expirationTime) {
+		return transport.authenticate()
+	}
+
+	return nil
+}
+
+// RoundTrip is the implementation of the Transport interface.
+func (transport *AzureTransport) RoundTrip(request *http.Request) (*http.Response, error) {
+	err := transport.retrieveAuthenticationToken()
+	if err != nil {
+		return nil, err
+	}
+
+	request.Header.Set("Authorization", "Bearer "+transport.token.value)
+	return http.DefaultTransport.RoundTrip(request)
+}

api/http/proxy/factory.go

@@ -10,6 +10,8 @@ import (
 	"github.com/portainer/portainer/crypto"
 )
 
+const azureAPIBaseURL = "https://management.azure.com"
+
 // proxyFactory is a factory to create reverse proxies to Docker endpoints
 type proxyFactory struct {
 	ResourceControlService portainer.ResourceControlService
@@ -20,11 +22,23 @@ type proxyFactory struct {
 	SignatureService       portainer.DigitalSignatureService
 }
 
-func (factory *proxyFactory) newExtensionHTTPPRoxy(u *url.URL) http.Handler {
+func (factory *proxyFactory) newHTTPProxy(u *url.URL) http.Handler {
 	u.Scheme = "http"
 	return newSingleHostReverseProxyWithHostHeader(u)
 }
 
+func newAzureProxy(credentials *portainer.AzureCredentials) (http.Handler, error) {
+	url, err := url.Parse(azureAPIBaseURL)
+	if err != nil {
+		return nil, err
+	}
+
+	proxy := newSingleHostReverseProxyWithHostHeader(url)
+	proxy.Transport = NewAzureTransport(credentials)
+
+	return proxy, nil
+}
+
 func (factory *proxyFactory) newDockerHTTPSProxy(u *url.URL, tlsConfig *portainer.TLSConfiguration, enableSignature bool) (http.Handler, error) {
 	u.Scheme = "https"
 

api/http/proxy/manager.go

@@ -44,33 +44,39 @@ func NewManager(parameters *ManagerParams) *Manager {
 	}
 }
 
-// CreateAndRegisterProxy creates a new HTTP reverse proxy and adds it to the registered proxies.
-// It can also be used to create a new HTTP reverse proxy and replace an already registered proxy.
-func (manager *Manager) CreateAndRegisterProxy(endpoint *portainer.Endpoint) (http.Handler, error) {
-	var proxy http.Handler
+func (manager *Manager) createDockerProxy(endpointURL *url.URL, tlsConfig *portainer.TLSConfiguration) (http.Handler, error) {
+	if endpointURL.Scheme == "tcp" {
+		if tlsConfig.TLS || tlsConfig.TLSSkipVerify {
+			return manager.proxyFactory.newDockerHTTPSProxy(endpointURL, tlsConfig, false)
+		}
+		return manager.proxyFactory.newDockerHTTPProxy(endpointURL, false), nil
+	}
+	// Assume unix:// scheme
+	return manager.proxyFactory.newDockerSocketProxy(endpointURL.Path), nil
+}
 
+func (manager *Manager) createProxy(endpoint *portainer.Endpoint) (http.Handler, error) {
 	endpointURL, err := url.Parse(endpoint.URL)
 	if err != nil {
 		return nil, err
 	}
 
-	enableSignature := false
-	if endpoint.Type == portainer.AgentOnDockerEnvironment {
-		enableSignature = true
+	switch endpoint.Type {
+	case portainer.AgentOnDockerEnvironment:
+		return manager.proxyFactory.newDockerHTTPSProxy(endpointURL, &endpoint.TLSConfig, true)
+	case portainer.AzureEnvironment:
+		return newAzureProxy(&endpoint.AzureCredentials)
+	default:
+		return manager.createDockerProxy(endpointURL, &endpoint.TLSConfig)
 	}
+}
 
-	if endpointURL.Scheme == "tcp" {
-		if endpoint.TLSConfig.TLS {
-			proxy, err = manager.proxyFactory.newDockerHTTPSProxy(endpointURL, &endpoint.TLSConfig, enableSignature)
-			if err != nil {
-				return nil, err
-			}
-		} else {
-			proxy = manager.proxyFactory.newDockerHTTPProxy(endpointURL, enableSignature)
-		}
-	} else {
-		// Assume unix:// scheme
-		proxy = manager.proxyFactory.newDockerSocketProxy(endpointURL.Path)
+// CreateAndRegisterProxy creates a new HTTP reverse proxy based on endpoint properties and and adds it to the registered proxies.
+// It can also be used to create a new HTTP reverse proxy and replace an already registered proxy.
+func (manager *Manager) CreateAndRegisterProxy(endpoint *portainer.Endpoint) (http.Handler, error) {
+	proxy, err := manager.createProxy(endpoint)
+	if err != nil {
+		return nil, err
 	}
 
 	manager.proxies.Set(string(endpoint.ID), proxy)
@@ -99,7 +105,7 @@ func (manager *Manager) CreateAndRegisterExtensionProxy(key, extensionAPIURL str
 		return nil, err
 	}
 
-	proxy := manager.proxyFactory.newExtensionHTTPPRoxy(extensionURL)
+	proxy := manager.proxyFactory.newHTTPProxy(extensionURL)
 	manager.extensionProxies.Set(key, proxy)
 	return proxy, nil
 }

api/http/proxy/reverse_proxy.go

@@ -7,7 +7,7 @@ import (
 	"strings"
 )
 
-// NewSingleHostReverseProxyWithHostHeader is based on NewSingleHostReverseProxy
+// newSingleHostReverseProxyWithHostHeader is based on NewSingleHostReverseProxy
 // from golang.org/src/net/http/httputil/reverseproxy.go and merely sets the Host
 // HTTP header, which NewSingleHostReverseProxy deliberately preserves.
 func newSingleHostReverseProxyWithHostHeader(target *url.URL) *httputil.ReverseProxy {