openark · BtQuentin · Apr 9, 2024
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -14,7 +14,7 @@
 # ORC_USER (default: orc_server_user): username used to login to orchestrator backend MySQL server
 # ORC_PASSWORD (default: orc_server_password): password used to login to orchestrator backend MySQL server
 
-FROM golang:1.16.6-alpine3.14 as build
+FROM golang:1.18-alpine3.17 as build
 
 ENV GOPATH=/tmp/go
 
@@ -28,7 +28,7 @@ RUN rsync -av $(find /tmp/orchestrator-release -type d -name orchestrator -maxde
 RUN rsync -av $(find /tmp/orchestrator-release -type d -name orchestrator-client -maxdepth 2)/ /
 RUN cp conf/orchestrator-sample-sqlite.conf.json /etc/orchestrator.conf.json
 
-FROM alpine:3.14
+FROM alpine:3.17
 
 RUN apk --no-cache add bash curl jq
 

diff --git a/docs/README.md b/docs/README.md
@@ -42,6 +42,7 @@
 
 #### Various
 - [Security](security.md)
+    - [Azure](azure.md)
 - [SSL and TLS](ssl-and-tls.md)
 - [Pseudo GTID](pseudo-gtid.md): refactoring and high availability without using GTID.
 - [Agents](agents.md)

diff --git a/docs/azure.md b/docs/azure.md
@@ -0,0 +1,32 @@
+# Security
+
+## Microsoft Azure AD Authentication
+
+### 1. Create the Azure Application
+
+First of all, you need to register an application on Azure.
+
+This must be done from [https://portal.azure.com/](https://portal.azure.com/)
+
+You can follow the Microsoft documentation [Quickstart: Register an application with the Microsoft identity platform](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) if you don't know how to do this.
+
+The only important point, is for the "Platform Configurations", you need to set it as "Mobile and desktop applications" with the redirect URI as "http://localhost".
+
+
+### 2. Configuration in `Orchestrator`
+
+Add the following to `orchestrator`'s configuration file:
+
+       "AuthenticationMethod": "azure",
+       "AzureClientID": "<application_client_id>",
+       "AzureTenantID": "<directory (tenant) ID>",
+       "AzureGraphUserScope": "User.Read",
+       "AzureRedirectURL": "http://localhost",
+       "AzureApplicationName": "<display_name>",
+       "AzureApplicationID": "<object_id>",
+       "AzureAdminRole": "<app_roles_value>",
+
+![Azure App Registration](images/azure-app-registration.png)
+![Azure Platform Configuration](images/azure-platform-configurations.png)
+![Azure App Roles](images/azure-app-roles.png)
+![Azure Users and Groups](images/azure-users-and-groups.png)
diff --git a/docs/images/azure-app-registration.png b/docs/images/azure-app-registration.png
diff --git a/docs/images/azure-app-roles.png b/docs/images/azure-app-roles.png
diff --git a/docs/images/azure-platform-configurations.png b/docs/images/azure-platform-configurations.png
diff --git a/docs/images/azure-users-and-groups.png b/docs/images/azure-users-and-groups.png
diff --git a/docs/security.md b/docs/security.md
@@ -54,6 +54,11 @@ When operating in HTTP mode (API or Web), access to `orchestrator` may be restri
             "wallace", "gromit", "shaun"
             ],
 
+*  _Microsoft Azure AD authentication_
+
+   Check the specific documentation: [Azure](azure.md)
+
+
 Or, regardless, you may turn the entire `orchestrator` process to be read only via:
 
 

diff --git a/docs/toc.md b/docs/toc.md
@@ -42,6 +42,7 @@
 
 #### Various
 - [Security](security.md)
+    - [Azure](azure.md)
 - [SSL and TLS](ssl-and-tls.md)
 - [Pseudo GTID](pseudo-gtid.md): refactoring and high availability without using GTID.
 - [Agents](agents.md)

diff --git a/go.mod b/go.mod
@@ -1,48 +1,92 @@
 module github.com/openark/orchestrator
 
-go 1.16
+go 1.18
 
 require (
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.2.1
 	github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6
-	github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 // indirect
 	github.com/cyberdelia/go-metrics-graphite v0.0.0-20161219230853-39f87cc3b432
-	github.com/fatih/color v1.10.0 // indirect
 	github.com/go-martini/martini v0.0.0-20170121215854-22fa46961aab
 	github.com/go-sql-driver/mysql v1.6.0
-	github.com/google/btree v1.0.0 // indirect
+	github.com/google/uuid v1.3.0
 	github.com/hashicorp/consul/api v1.7.0
+	github.com/hashicorp/raft v0.0.0-00010101000000-000000000000
+	github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c
+	github.com/martini-contrib/auth v0.0.0-20150219114609-fa62c19b7ae8
+	github.com/martini-contrib/gzip v0.0.0-20151124214156-6c035326b43f
+	github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11
+	github.com/martini-contrib/sessions v0.0.0-20140630231722-fa13114fbcf0
+	github.com/mattn/go-sqlite3 v1.14.7
+	github.com/microsoftgraph/msgraph-sdk-go v0.55.0
+	github.com/montanaflynn/stats v0.6.6
+	github.com/openark/golib v0.0.0-20210520103621-827f3ea62180
+	github.com/outbrain/zookeepercli v1.0.12
+	github.com/patrickmn/go-cache v2.1.0+incompatible
+	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475
+	github.com/samuel/go-zookeeper v0.0.0-20201211165307-7117e9ea2414
+	github.com/sjmudd/stopwatch v0.0.0-20170103085848-637ef30077b7
+	gopkg.in/gcfg.v1 v1.2.3
+)
+
+require (
+	github.com/boj/redistore v0.0.0-20180917114910-cd5dcc76aeff // indirect
+	github.com/gomodule/redigo v2.0.0+incompatible // indirect
+	github.com/gorilla/context v1.1.1 // indirect
+	github.com/gorilla/securecookie v1.1.1 // indirect
+	github.com/gorilla/sessions v1.2.1 // indirect
+)
+
+require (
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.3.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.2 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v0.8.1 // indirect
+	github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da // indirect
+	github.com/cjlapao/common-go v0.0.37 // indirect
+	github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/fatih/color v1.13.0 // indirect
+	github.com/go-logr/logr v1.2.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.4.2 // indirect
+	github.com/google/btree v1.0.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2-0.20190406162018-d3fcbee8e181 // indirect
 	github.com/hashicorp/go-hclog v0.15.1-0.20201116205511-59fbd7b93270 // indirect
 	github.com/hashicorp/go-immutable-radix v1.3.0 // indirect
+	github.com/hashicorp/go-msgpack v0.5.3 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.3-0.20191216101743-c8a9a31cbd76 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.2 // indirect
 	github.com/hashicorp/go-uuid v1.0.2 // indirect
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
-	github.com/hashicorp/raft v0.0.0-00010101000000-000000000000
 	github.com/hashicorp/serf v0.9.5 // indirect
-	github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c
-	github.com/martini-contrib/auth v0.0.0-20150219114609-fa62c19b7ae8
-	github.com/martini-contrib/gzip v0.0.0-20151124214156-6c035326b43f
-	github.com/martini-contrib/render v0.0.0-20150707142108-ec18f8345a11
-	github.com/mattn/go-isatty v0.0.13-0.20200128103942-cb30d6282491 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.16 // indirect
+	github.com/microsoft/kiota-abstractions-go v0.17.0 // indirect
+	github.com/microsoft/kiota-authentication-azure-go v0.6.0 // indirect
+	github.com/microsoft/kiota-http-go v0.14.0 // indirect
+	github.com/microsoft/kiota-serialization-form-go v0.3.0 // indirect
+	github.com/microsoft/kiota-serialization-json-go v0.8.1 // indirect
+	github.com/microsoft/kiota-serialization-text-go v0.7.0 // indirect
+	github.com/microsoftgraph/msgraph-sdk-go-core v0.33.1 // indirect
 	github.com/miekg/dns v1.1.31 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.0 // indirect
 	github.com/mitchellh/mapstructure v1.3.3 // indirect
-	github.com/montanaflynn/stats v0.0.0-20161102194025-f8cd06f93c6c
-	github.com/openark/golib v0.0.0-20210520103621-827f3ea62180
 	github.com/outbrain/golib v0.0.0-20200503083229-2531e5dbcc71 // indirect
-	github.com/outbrain/zookeepercli v1.0.12
 	github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c // indirect
-	github.com/patrickmn/go-cache v2.1.0+incompatible
-	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475
-	github.com/samuel/go-zookeeper v0.0.0-20201211165307-7117e9ea2414
-	github.com/sjmudd/stopwatch v0.0.0-20170103085848-637ef30077b7
-	github.com/stretchr/testify v1.6.1 // indirect
-	golang.org/x/crypto v0.0.0-20200930160638-afb6bcd081ae // indirect
-	golang.org/x/net v0.0.0-20200930145003-4acb6c075d10 // indirect
-	golang.org/x/sys v0.0.0-20201126233918-771906719818 // indirect
-	gopkg.in/gcfg.v1 v1.2.3
+	github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/stretchr/testify v1.8.1 // indirect
+	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
+	go.opentelemetry.io/otel v1.11.2 // indirect
+	go.opentelemetry.io/otel/trace v1.11.2 // indirect
+	golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88 // indirect
+	golang.org/x/net v0.5.0 // indirect
+	golang.org/x/sys v0.4.0 // indirect
+	golang.org/x/term v0.4.0 // indirect
+	golang.org/x/text v0.6.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
 replace github.com/hashicorp/raft => github.com/openark/raft v0.0.0-20170918052300-fba9f909f7fe