Add azidentity-based AAD auth to sqlcmd (#15)

* basic azure auth support

* add tests for AAD auth

* pipeline fixes

* pipeline fix

* fix variable cyclic reference

* fix file name in pipeline

* merge coverage data

* fix missing quote

* remove unneeded scope

* fix test for azure auth

Author: shueybubbles

.pipelines/TestSql2017.yml

@@ -1,80 +1,51 @@
+variables:
+  # AZURE_CLIENT_SECRET and SQLPASSWORD must be defined as secret variables in the pipeline. 
+  # AZURE_TENANT_ID and AZURE_CLIENT_ID are not expected to be secret variables, just regular variables
+  AZURECLIENTSECRET: $(AZURE_CLIENT_SECRET)
+  PASSWORD: $(SQLPASSWORD)
 pool:
    vmImage: 'ubuntu-latest'
 
-steps: 
-- task: GoTool@0
-  inputs:
-    version: '1.16.5'
-- task: Go@0
-  displayName: 'Go: get dependencies'
-  inputs:
-    command: 'get'
-    arguments: '-d'
-    workingDirectory: '$(Build.SourcesDirectory)/cmd/sqlcmd'
-
-
-- task: Go@0
-  displayName: 'Go: install gotest.tools/gotestsum'
-  inputs:
-    command: 'custom'
-    customCommand: 'install'
-    arguments: 'gotest.tools/gotestsum@latest'
-    workingDirectory: '$(System.DefaultWorkingDirectory)'
-
-- task: Go@0
-  displayName: 'Go: install github.com/axw/gocov/gocov'
-  inputs:
-    command: 'custom'
-    customCommand: 'install'
-    arguments: 'github.com/axw/gocov/gocov@latest'
-    workingDirectory: '$(System.DefaultWorkingDirectory)'
-
-- task: Go@0
-  displayName: 'Go: install github.com/axw/gocov/gocov'
-  inputs:
-    command: 'custom'
-    customCommand: 'install'
-    arguments: 'github.com/AlekSi/gocov-xml@latest'
-    workingDirectory: '$(System.DefaultWorkingDirectory)'
-
-#Your build pipeline references an undefined variables named SQLPASSWORD. 
-#Create or edit the build pipeline for this YAML file, define the variable on the Variables tab. See https://go.microsoft.com/fwlink/?linkid=865972
-
-- task: Docker@2
-  displayName: 'Run SQL 2017 docker image'
-  inputs:
-    command: run
-    arguments: '-m 2GB -e ACCEPT_EULA=1 -d --name sql2017 -p:1433:1433 -e SA_PASSWORD=$(SQLPASSWORD) mcr.microsoft.com/mssql/server:2017-latest'
-
-- script: |
-    ~/go/bin/gotestsum --junitfile testresults.xml -- ./... -coverprofile=coverage.txt -covermode count
-    ~/go/bin/gocov convert coverage.txt > coverage.json
-    ~/go/bin/gocov-xml < coverage.json > coverage.xml
-    mkdir coverage
-  workingDirectory: '$(Build.SourcesDirectory)'
-  displayName: 'run tests'
-  env:
-    SQLPASSWORD: $(SQLPASSWORD)
-    SQLCMDUSER: sa
-    SQLCMDPASSWORD: $(SQLPASSWORD)
-  continueOnError: true
-- task: PublishTestResults@2
-  displayName: "Publish junit-style results"
-  inputs:
-    testResultsFiles: 'testresults.xml'
-    testResultsFormat: JUnit
-    searchFolder: '$(Build.SourcesDirectory)'
-    testRunTitle: 'SQL 2017 - $(Build.SourceBranchName)'
-  condition: always()
-  continueOnError: true
-
-- task: PublishCodeCoverageResults@1
-  inputs:
-    codeCoverageTool: Cobertura 
-    pathToSources: '$(Build.SourcesDirectory)'
-    summaryFileLocation: $(Build.SourcesDirectory)/**/coverage.xml
-    reportDirectory: $(Build.SourcesDirectory)/**/coverage
-    failIfCoverageEmpty: true
-  condition: always()
-  continueOnError: true
+steps:
+  - template: include-install-go-tools.yml
+
+  - task: Docker@2
+    displayName: 'Run SQL 2017 docker image'
+    inputs:
+      command: run
+      arguments: '-m 2GB -e ACCEPT_EULA=1 -d --name sql2017 -p:1433:1433 -e SA_PASSWORD=$(PASSWORD) mcr.microsoft.com/mssql/server:2017-latest'
+
+  - template: include-runtests-linux.yml
+    parameters:
+      RunName: 'SQL 2017'
+      SQLCMDUSER: sa
+      SQLPASSWORD: $(PASSWORD)
+      
+  - template: include-runtests-linux.yml
+    parameters:
+      RunName: 'SQL DB'
+      # AZURESERVER must be defined as a variable in the pipeline
+      SQLCMDSERVER: $(AZURESERVER)
+      AZURECLIENTSECRET: $(AZURECLIENTSECRET)
+      
+  - task: Palmmedia.reportgenerator.reportgenerator-build-release-task.reportgenerator@4
+    displayName: Merge coverage data
+    inputs:
+      reports: '"SQL 2017.coverage.xml";"SQL DB.coverage.xml"' # REQUIRED # The coverage reports that should be parsed (separated by semicolon). Globbing is supported.
+      targetdir: 'coverage' # REQUIRED # The directory where the generated report should be saved.
+      reporttypes: 'HtmlInline_AzurePipelines;Cobertura' # The output formats and scope (separated by semicolon) Values: Badges, Clover, Cobertura, CsvSummary, Html, HtmlChart, HtmlInline, HtmlInline_AzurePipelines, HtmlInline_AzurePipelines_Dark, HtmlSummary, JsonSummary, Latex, LatexSummary, lcov, MarkdownSummary, MHtml, PngChart, SonarQube, TeamCitySummary, TextSummary, Xml, XmlSummary
+      sourcedirs: '$(Build.SourcesDirectory)' # Optional directories which contain the corresponding source code (separated by semicolon). The source directories are used if coverage report contains classes without path information.
+      verbosity: 'Info' # The verbosity level of the log messages. Values: Verbose, Info, Warning, Error, Off
+      tag: '$(build.buildnumber)_#$(build.buildid)_$(Build.SourceBranchName)' # Optional tag or build version.
+  - task: PublishCodeCoverageResults@1
+    inputs:
+      codeCoverageTool: Cobertura 
+      pathToSources: '$(Build.SourcesDirectory)'
+      summaryFileLocation: $(Build.SourcesDirectory)/coverage/*.xml
+      reportDirectory: $(Build.SourcesDirectory)/coverage
+      failIfCoverageEmpty: true
+    condition: always()
+    continueOnError: true
+    env:
+      disable.coverage.autogenerate: 'true'
 

.pipelines/include-install-go-tools.yml

@@ -0,0 +1,36 @@
+steps: 
+  - task: GoTool@0
+    inputs:
+      version: '1.16.5'
+  - task: Go@0
+    displayName: 'Go: get dependencies'
+    inputs:
+      command: 'get'
+      arguments: '-d'
+      workingDirectory: '$(Build.SourcesDirectory)/cmd/sqlcmd'
+  
+  
+  - task: Go@0
+    displayName: 'Go: install gotest.tools/gotestsum'
+    inputs:
+      command: 'custom'
+      customCommand: 'install'
+      arguments: 'gotest.tools/gotestsum@latest'
+      workingDirectory: '$(System.DefaultWorkingDirectory)'
+  
+  - task: Go@0
+    displayName: 'Go: install github.com/axw/gocov/gocov'
+    inputs:
+      command: 'custom'
+      customCommand: 'install'
+      arguments: 'github.com/axw/gocov/gocov@latest'
+      workingDirectory: '$(System.DefaultWorkingDirectory)'
+  
+  - task: Go@0
+    displayName: 'Go: install github.com/axw/gocov/gocov'
+    inputs:
+      command: 'custom'
+      customCommand: 'install'
+      arguments: 'github.com/AlekSi/gocov-xml@latest'
+      workingDirectory: '$(System.DefaultWorkingDirectory)'
+  

.pipelines/include-runtests-linux.yml

@@ -0,0 +1,46 @@
+parameters:
+- name: RunName
+  type: string
+- name: SQLCMDUSER
+  type: string
+  default: ''
+- name: SQLPASSWORD
+  type: string
+  default: ''
+- name: AZURECLIENTSECRET
+  type: string
+  default: ''
+- name: SQLCMDSERVER
+  type: string
+  default: .
+- name: SQLCMDDBNAME
+  type: string
+  default: ''
+steps:
+  - script: |
+      ~/go/bin/gotestsum --junitfile "${{ parameters.RunName }}.testresults.xml" -- ./... -coverprofile="${{ parameters.RunName }}.coverage.txt" -covermode count
+      ~/go/bin/gocov convert "${{ parameters.RunName }}.coverage.txt" > "${{ parameters.RunName }}.coverage.json"
+      ~/go/bin/gocov-xml < "${{ parameters.RunName }}.coverage.json" > "${{ parameters.RunName }}.coverage.xml"
+      mkdir -p coverage
+    workingDirectory: '$(Build.SourcesDirectory)'
+    displayName: 'run tests'
+    env:
+      SQLPASSWORD: ${{ parameters.SQLPASSWORD }}
+      SQLCMDUSER: ${{ parameters.SQLCMDUSER }}
+      SQLCMDPASSWORD: ${{ parameters.SQLPASSWORD }}
+      AZURE_TENANT_ID: $(AZURE_TENANT_ID)
+      AZURE_CLIENT_ID: $(AZURE_CLIENT_ID)
+      AZURE_CLIENT_SECRET: ${{ parameters.AZURECLIENTSECRET }}
+      SQLCMDSERVER: ${{ parameters.SQLCMDSERVER }}
+      SQLCMDDBNAME: ${{ parameters.SQLCMDDBNAME }}
+    continueOnError: true
+
+  - task: PublishTestResults@2
+    displayName: "Publish junit-style results"
+    inputs:
+      testResultsFiles: '"${{ parameters.RunName }}.coverage.xml"'
+      testResultsFormat: JUnit
+      searchFolder: '$(Build.SourcesDirectory)'
+      testRunTitle: '${{ parameters.RunName }} - $(Build.SourceBranchName)'
+    condition: always()
+    continueOnError: true

README.md

@@ -20,6 +20,60 @@ We will be implementing as many command line switches and behaviors as possible
 - Some behaviors that were kept to maintain compatibility with `OSQL` may be changed, such as alignment of column headers for some data types.
 - All commands must fit on one line, even `EXIT`. Interactive mode will not check for open parentheses or quotes for commands and prompt for successive lines. The native sqlcmd allows the query run by `EXIT(query)` to span multiple lines.
 
+### Azure Active Directory Authentication
+
+This version of sqlcmd supports a broader range of AAD authentication models, based on the [azidentity package](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity).
+
+#### Command line
+
+To use AAD auth, you can use one of two command line switches
+
+`-G` is (mostly) compatible with its usage in the prior version of sqlcmd. If a user name and password are provided, it will authenticate using AAD Password authentication. If a user name is provided it will use AAD Interactive authentication which may display a web browser. If no user name or password is provided, it will use a DefaultAzureCredential which attempts to authenticate through a variety of mechanisms.
+
+`--authentication-method=` can be used to specify one of the following authentication types.
+
+`ActiveDirectoryDefault`
+
+- For an overview of the types of authentication this mode will use, see (<https://github.com/Azure/azure-sdk-for-go/tree/main/sdk/azidentity#defaultazurecredential>).
+- Choose this method if your database automation scripts are intended to run in both local development environments and in a production deployment in Azure. You'll be able to use a client secret or an Azure CLI login on your development environment and a managed identity or client secret on your production deployment without changing the script.
+- Setting environment variables AZURE_TENANT_ID, and AZURE_CLIENT_ID are necessary for DefaultAzureCredential to begin checking the environment configuration and look for one of the following additional environment variables in order to authenticate:
+
+  - Setting environment variable AZURE_CLIENT_SECRET configures the DefaultAzureCredential to choose ClientSecretCredential.
+  - Setting environment variable AZURE_CLIENT_CERTIFICATE_PATH configures the DefaultAzureCredential to choose ClientCertificateCredential if AZURE_CLIENT_SECRET is not set.
+  - Setting environment variable AZURE_USERNAME configures the DefaultAzureCredential to choose UsernamePasswordCredential if AZURE_CLIENT_SECRET and AZURE_CLIENT_CERTIFICATE_PATH are not set.
+
+`ActiveDirectoryIntegrated`
+
+This method is currently not implemented and will fall back to `ActiveDirectoryDefault`
+
+`ActiveDirectoryPassword`
+
+This method will authenticate using a user name and password. It will not work if MFA is required.
+You provide the user name and password using the usual command line switches or SQLCMD environment variables.
+Set `AZURE_TENANT_ID` environment variable to the tenant id of the server if not using the default tenant of the user.
+
+`ActiveDirectoryInteractive`
+
+This method will launch a web browser to authenticate the user.
+Set `AZURE_TENANT_ID` environment variable to the tenant id of the server if not using the default.
+
+`ActiveDirectoryManagedIdentity`
+
+Use this method when running sqlcmd on an Azure VM that has either a system-assigned or user-assigned managed identity. If using a user-assigned managed identity, set the user name to the ID of the managed identity. If using a system-assigned identity, leave user name empty.
+
+`ActiveDirectoryServicePrincipal`
+
+This method authenticates the provided user name as a service principal id and the password as the client secret for the service principal. Set `AZURE_TENANT_ID` environment variable to the tenant id of the service principal.
+
+### Environment variables for AAD auth
+
+Some settings for AAD auth do not have command line inputs, and some environment variables are consumed directly by the `azidentity` package used by `sqlcmd`.
+These environment variables can be set to configure some aspects of AAD auth and to bypass default behaviors. In addition to the variables listed above, the following are sqlcmd-specific and apply to multiple methods.
+
+`SQLCMDAZURERESOURCE` - defines the URL of the Azure SQL database resource in the Azure cloud where the database resides. By default, `sqlcmd` attempts to match the DNS suffix of the server name with one of the well known Azure cloud DNS suffixes. If no match is found it uses `https://database.windows.net`.
+
+`SQLCMDCLIENTID` - set this to the identifier of an application registered in your AAD which is authorized to authenticate to Azure SQL Database. Applies to `ActiveDirectoryInteractive` and `ActiveDirectoryPassword` methods.
+
 ### Packages
 
 #### sqlcmd executable

cmd/sqlcmd/main.go

@@ -20,7 +20,7 @@ type SQLCmdArguments struct {
 	// Whether to trust the server certificate on an encrypted connection
 	TrustServerCertificate bool   `short:"C" help:"Implicitly trust the server certificate without validation."`
 	DatabaseName           string `short:"d" help:"This option sets the sqlcmd scripting variable SQLCMDDBNAME. This parameter specifies the initial database. The default is your login's default-database property. If the database does not exist, an error message is generated and sqlcmd exits."`
-	UseTrustedConnection   bool   `short:"E" xor:"uid" help:"Uses a trusted connection instead of using a user name and password to sign in to SQL Server, ignoring any any environment variables that define user name and password."`
+	UseTrustedConnection   bool   `short:"E" xor:"uid, auth" help:"Uses a trusted connection instead of using a user name and password to sign in to SQL Server, ignoring any any environment variables that define user name and password."`
 	UserName               string `short:"U" xor:"uid" help:"The login name or contained database user name.  For contained database users, you must provide the database name option"`
 	// Files from which to read query text
 	InputFile  []string `short:"i" xor:"input1, input2" type:"existingFile" help:"Identifies one or more files that contain batches of SQL statements. If one or more files do not exist, sqlcmd will exit. Mutually exclusive with -Q/-q."`
@@ -31,7 +31,10 @@ type SQLCmdArguments struct {
 	Query  string `short:"Q" xor:"input2" help:"Executes a query when sqlcmd starts and then immediately exits sqlcmd. Multiple-semicolon-delimited queries can be executed."`
 	Server string `short:"S" help:"[tcp:]server[\\instance_name][,port]Specifies the instance of SQL Server to which to connect. It sets the sqlcmd scripting variable SQLCMDSERVER."`
 	// Disable syscommands with a warning
-	DisableCmdAndWarn           bool              `short:"X" xor:"syscmd" help:"Disables commands that might compromise system security. Sqlcmd issues a warning and continues."`
+	DisableCmdAndWarn bool `short:"X" xor:"syscmd" help:"Disables commands that might compromise system security. Sqlcmd issues a warning and continues."`
+	// AuthenticationMethod is new for go-sqlcmd
+	AuthenticationMethod        string            `xor:"auth"  help:"Specifies the SQL authentication method to use to connect to Azure SQL Database. One of:ActiveDirectoryDefault,ActiveDirectoryIntegrated,ActiveDirectoryPassword,ActiveDirectoryInteractive,ActiveDirectoryManagedIdentity,ActiveDirectoryServicePrincipal,SqlPassword"`
+	UseAad                      bool              `short:"G" xor:"auth" help:"Tells sqlcmd to use Active Directory authentication. If no user name is provided, authentication method ActiveDirectoryDefault is used. If a password is provided, ActiveDirectoryPassword is used. Otherwise ActiveDirectoryInteractive is used."`
 	DisableVariableSubstitution bool              `short:"x" help:"Causes sqlcmd to ignore scripting variables. This parameter is useful when a script contains many INSERT statements that may contain strings that have the same format as regular variables, such as $(variable_name)."`
 	Variables                   map[string]string `short:"v" help:"Creates a sqlcmd scripting variable that can be used in a sqlcmd script. Enclose the value in quotation marks if the value contains spaces. You can specify multiple var=values values. If there are errors in any of the values specified, sqlcmd generates an error message and then exits"`
 }
@@ -51,6 +54,26 @@ func newArguments() SQLCmdArguments {
 
 var args SQLCmdArguments
 
+func (a SQLCmdArguments) authenticationMethod(hasPassword bool) string {
+	if a.UseTrustedConnection {
+		return sqlcmd.NotSpecified
+	}
+	if a.UseAad {
+		switch {
+		case a.UserName == "":
+			return sqlcmd.ActiveDirectoryIntegrated
+		case hasPassword:
+			return sqlcmd.ActiveDirectoryPassword
+		default:
+			return sqlcmd.ActiveDirectoryInteractive
+		}
+	}
+	if a.AuthenticationMethod == "" {
+		return sqlcmd.NotSpecified
+	}
+	return a.AuthenticationMethod
+}
+
 func main() {
 	kong.Parse(&args)
 	vars := sqlcmd.InitializeVariables(!args.DisableCmdAndWarn)
@@ -64,9 +87,20 @@ func main() {
 // setVars initializes scripting variables from command line arguments
 func setVars(vars *sqlcmd.Variables, args *SQLCmdArguments) {
 	varmap := map[string]func(*SQLCmdArguments) string{
-		sqlcmd.SQLCMDDBNAME:            func(a *SQLCmdArguments) string { return a.DatabaseName },
-		sqlcmd.SQLCMDLOGINTIMEOUT:      func(a *SQLCmdArguments) string { return "" },
-		sqlcmd.SQLCMDUSEAAD:            func(a *SQLCmdArguments) string { return "" },
+		sqlcmd.SQLCMDDBNAME:       func(a *SQLCmdArguments) string { return a.DatabaseName },
+		sqlcmd.SQLCMDLOGINTIMEOUT: func(a *SQLCmdArguments) string { return "" },
+		sqlcmd.SQLCMDUSEAAD: func(a *SQLCmdArguments) string {
+			if a.UseAad {
+				return "true"
+			}
+			switch a.AuthenticationMethod {
+			case sqlcmd.ActiveDirectoryIntegrated:
+			case sqlcmd.ActiveDirectoryInteractive:
+			case sqlcmd.ActiveDirectoryPassword:
+				return "true"
+			}
+			return ""
+		},
 		sqlcmd.SQLCMDWORKSTATION:       func(a *SQLCmdArguments) string { return "" },
 		sqlcmd.SQLCMDSERVER:            func(a *SQLCmdArguments) string { return a.Server },
 		sqlcmd.SQLCMDERRORLEVEL:        func(a *SQLCmdArguments) string { return "" },
@@ -124,6 +158,7 @@ func run(vars *sqlcmd.Variables) (int, error) {
 	}
 	s.Connect.UseTrustedConnection = args.UseTrustedConnection
 	s.Connect.TrustServerCertificate = args.TrustServerCertificate
+	s.Connect.AuthenticationMethod = args.authenticationMethod(s.Connect.Password != "")
 	s.Connect.DisableEnvironmentVariables = args.DisableCmdAndWarn
 	s.Connect.DisableVariableSubstitution = args.DisableVariableSubstitution
 	s.Format = sqlcmd.NewSQLCmdDefaultFormatter(false)