bug: additional auth cases

[sebastus]

Additional authentication cases have been discovered. We need all of them to be handled correctly.

Expected Behavior

All of these authentication cases should work, az login: (on an Azure VM)

• with only a system assigned MI
• with a system assigned MI and a user assigned MI
• with only a user assigned MI
• with >1 user assigned MI
• with a system assigned MI and >1 user assigned MI
• with an app registration (spn) (client-id + client secret)

All of the above cases should work where the logged in ID has permissions:

• owner on subscription
• owner on something else, but not the subscription
• owner on nothing at all

In cases above where --username (-u) parameter is specified to az login, must work with: (with MI only - not spn)

• client-id
• object-id
• resource-id

In addition to the above cases, az login with a user principal should work:

• with and without owner perms on subscription
• with owner on something else than the subscription (fail with relevant messaging)
• with owner on nothing at all (but possibly contributor, etc) (fail with relevant messaging)

Desired outcome includes creation of unit tests for each of the cases.

Actual Behavior

Some of the above cases are handled correctly, but not all.

Steps to Reproduce the Problem

[benc-uk]

A major note on the owner role check, the only time it needs to be checked is for launchpad mode only See the old rover code

For all other deployments no checks are made

Just checked rovergo and our owner check https://github.com/aztfmod/rovergo/blob/d3d7b15cf71c499ec26a16e8a2498e8bd5f26ed4/pkg/azure/auth.go#L35 Is only called by runLaunchpadInit https://github.com/aztfmod/rovergo/blob/d3d7b15cf71c499ec26a16e8a2498e8bd5f26ed4/pkg/landingzone/landingzone.go#L211 so I think we're ok 🥇

[benc-uk]

Getting the objectId however is mandatory and is required by the CAF terraform in a TF_VAR

[sebastus]

The initial stage of resolving this issue is to enumerate the cases as comments in test/integration/auth_test.go