Fixed Azure Entra token scope (#10)

generalmotors · Oct 29, 2024 · 7a7d210 · 7a7d210
1 parent 7541716
commit 7a7d210
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/sasl/azure_event_hubs_entra/azure_event_hubs_entra.go b/sasl/azure_event_hubs_entra/azure_event_hubs_entra.go
@@ -53,7 +53,8 @@ func (m *Mechanism) getEntraToken(ctx context.Context, saslMeta *sasl.Metadata)
 
 func buildTokenRequestOptions(saslMeta *sasl.Metadata) policy.TokenRequestOptions {
 	tokenRequestOptions := policy.TokenRequestOptions{
-		Scopes: []string{"https://" + saslMeta.Host},
+		Scopes:    []string{"https://" + saslMeta.Host + "/.default"},
+		EnableCAE: false,
 	}
 
 	return tokenRequestOptions

diff --git a/sasl/azure_event_hubs_entra/azure_event_hubs_entra_test.go b/sasl/azure_event_hubs_entra/azure_event_hubs_entra_test.go
@@ -3,6 +3,8 @@ package azure_event_hubs_entra
 import (
 	"context"
 	"errors"
+	"fmt"
+	"strings"
 	"testing"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
@@ -15,6 +17,24 @@ type MockTokenCredential struct {
 }
 
 func (c *MockTokenCredential) GetToken(ctx context.Context, options policy.TokenRequestOptions) (azcore.AccessToken, error) {
+	if len(options.Scopes) != 1 {
+		return azcore.AccessToken{}, fmt.Errorf("Scopes must contain 1 element! Contains %d elements.", len(options.Scopes))
+	}
+
+	scope := options.Scopes[0]
+
+	if !strings.HasPrefix(scope, "https://") {
+		return azcore.AccessToken{}, fmt.Errorf("Scope must start with https, and it did not.")
+	}
+
+	if !strings.HasSuffix(scope, "/.default") {
+		return azcore.AccessToken{}, fmt.Errorf("Scope must end with /.default, and it did not.")
+	}
+
+	if options.EnableCAE {
+		return azcore.AccessToken{}, fmt.Errorf("CAE must be false. It was true.")
+	}
+
 	token, err := c.getTokenFunc()
 
 	if err != nil {