Azure / azure-cli

Azure Command-Line Interface
MIT License
4.03k stars 3.01k forks source link

az login with EC cert fails #30254

Open Jamesits opened 3 weeks ago

Jamesits commented 3 weeks ago

Describe the bug

az login with a EC certificate fails.

Related command

az login

Errors

The command failed with an unexpected error. Here is the traceback:
ECPrivateKey.sign() takes 2 positional arguments but 3 were given
Traceback (most recent call last):
  File "/opt/azure-cli/lib/python3.12/site-packages/knack/cli.py", line 233, in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 666, in execute
    raise ex
  File "/opt/azure-cli/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 733, in _run_jobs_serially
    results.append(self._run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 703, in _run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/azure/cli/core/commands/__init__.py", line 336, in __call__
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/azure/cli/core/commands/command_operation.py", line 121, in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/azure/cli/command_modules/profile/custom.py", line 165, in login
    subscriptions = profile.login(
                    ^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/azure/cli/core/_profile.py", line 181, in login
    identity.login_with_service_principal(username, password, scopes=scopes)
  File "/opt/azure-cli/lib/python3.12/site-packages/azure/cli/core/auth/identity.py", line 197, in login_with_service_principal
    result = cca.acquire_token_for_client(scopes)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/application.py", line 2339, in acquire_token_for_client
    return _clean_up(self._acquire_token_silent_with_error(
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/application.py", line 1439, in _acquire_token_silent_with_error
    result = self._acquire_token_silent_from_cache_and_possibly_refresh_it(
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/application.py", line 1580, in _acquire_token_silent_from_cache_and_possibly_refresh_it
    result = self._acquire_token_for_client(
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/application.py", line 2358, in _acquire_token_for_client
    response = client.obtain_token_for_client(
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/oauth2cli/oauth2.py", line 757, in obtain_token_for_client
    return self._obtain_token("client_credentials", data=data, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/oauth2cli/oidc.py", line 170, in _obtain_token
    ret = super(Client, self)._obtain_token(grant_type, *args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/oauth2cli/oauth2.py", line 776, in _obtain_token
    resp = super(Client, self)._obtain_token(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/oauth2cli/oauth2.py", line 202, in _obtain_token
    self.client_assertion()  # Do lazy on-the-fly computation
    ^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/oauth2cli/assertion.py", line 63, in __call__
    self._buf = {VALUE: self._factory(), EXPIRES_AT: now + self._expires_in}
                        ^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/oauth2cli/assertion.py", line 42, in <lambda>
    self.create_normal_assertion(a, i, s, expires_in=e, **kwargs),
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/msal/oauth2cli/assertion.py", line 122, in create_normal_assertion
    str_or_bytes = jwt.encode(  # PyJWT 1 returns bytes, PyJWT 2 returns str
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/jwt/api_jwt.py", line 64, in encode
    return api_jws.encode(json_payload, key, algorithm, headers, json_encoder)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/jwt/api_jws.py", line 134, in encode
    signature = alg_obj.sign(signing_input, key)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/azure-cli/lib/python3.12/site-packages/jwt/algorithms.py", line 373, in sign
    return key.sign(msg, padding.PKCS1v15(), self.hash_alg())
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: ECPrivateKey.sign() takes 2 positional arguments but 3 were given
To check existing issues, please visit: https://github.com/Azure/azure-cli/issues                                                                     

Issue script & Debug output

N/A

Expected behavior

The command should succeed

Environment Summary

azure-cli 2.65.0

core 2.65.0 telemetry 1.1.0

Extensions: aks-preview 9.0.0b8

Dependencies: msal 1.31.0 azure-mgmt-resource 23.1.1

Python location '/opt/azure-cli/bin/python' Extensions directory '/home/james/.azure/cliextensions'

Python (Linux) 3.12.7 (main, Oct 1 2024, 11:15:50) [GCC 14.2.1 20240910]

Legal docs and information: aka.ms/AzureCliLegal

Your CLI is up-to-date.

Additional context

Reproduction:

Create the cert:

openssl ecparam -out test.key -name prime256v1 -genkey
openssl req -new -key test.key -x509 -nodes -days 720 -out test.crt
cat test.crt test.key > test-full.crt

Create the AAD application:

resource "azuread_application" "test" {
  display_name = "test"
}

resource "azuread_service_principal" "test" {
  client_id = azuread_application.test.client_id
  tags = [
    "AppServiceIntegratedApp",
    "WindowsAzureActiveDirectoryIntegratedApp",
    "HideApp",
  ]
  app_role_assignment_required = true
}

resource "azuread_application_certificate" "test" {
  application_id = azuread_application.test.id
  type           = "AsymmetricX509Cert"
  value          = file("test.crt")
}

Trigger the bug:

az login --service-principal --tenant <tenant id> --username <client id> --password test-full.crt
yonzhan commented 3 weeks ago

Thank you for opening this issue, we will look into it.