Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Azure SQL Authentication to use Azure.Identity #14

Merged
merged 7 commits into from
Sep 30, 2024
Merged

Update Azure SQL Authentication to use Azure.Identity #14

merged 7 commits into from
Sep 30, 2024

Conversation

evochriso
Copy link
Contributor

Checklist

  • I have read the Contributing Guide
  • I have checked to ensure this does not introduce an unintended breaking changes
  • I have considered appropriate testing for my change

Description

Replace deprecated package Microsoft.Azure.Services.AppAuthentication with Azure.Identity
Resolves #12

@evochriso evochriso changed the title Replace deprecated package Microsoft.Azure.Services.AppAuthentication… Update Azure SQL Authentication to use Azure.Identity Feb 12, 2024
@droyad
Copy link
Member

droyad commented Feb 12, 2024
edited
Loading

Thanks I'll pull this in when we drop support System.Data.SqlClient (a breaking change).

@Bartleby2718
Copy link

@droyad If you don't mind educating a fellow engineer, would you be willing to explain why it'd be better to wait for another major version bump?

My understanding is that:

(Hope I didn't miss anything obvious.)

@evochriso
Copy link
Contributor Author

Thanks I'll pull this in when we drop support System.Data.SqlClient (a breaking change).

@droyad this update shouldn't be a breaking change since it doesn't change behavior or API surface, just swaps a deprecated dependency for its replacement, and has no dependency on System.Data.SqlClient. Perhaps a minor version bump instead of wait for the next major release?
As mentioned by @Bartleby2718 - the usage of the deprecated package is causing dbup-sqlserver to be flagged by security scanners and a higher priority issue than removing the System.Data.SqlClient package which is not yet deprecated (just needs version bump to resolve security vulnerability).

Swampen
Swampen reviewed Feb 15, 2024
View reviewed changes
Copy link

@Swampen Swampen left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just wanted to give my input on this after having written a CustomConnectionManager to be able to use Azure.Identity earlier. We used AzureCliCredential for dev environments and WorkloadIdentityCredential/ManagedIdentityCredential for production environments to skip the loop of having to check all possible types of credentials.

src/dbup-sqlserver/AzureSqlConnectionManager.cs Outdated
@@ -28,12 +29,11 @@ public AzureSqlConnectionManager(string connectionString, string resource)
public AzureSqlConnectionManager(string connectionString, string resource, string tenantId, string azureAdInstance = "https://login.microsoftonline.com/")
: base(new DelegateConnectionFactory((log, dbManager) =>
{
var tokenProvider = new DefaultAzureCredential();
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having the caller pass an instance of TokenCredential would be optimal as DefaultAzureCredential iterates over all possible credential types until it fines one that works.
If this is going to be released on the next major, perhaps add this as a parameter?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Swampen my goal with this PR was to resolve the usage of a deprecated Nuget package, without introducing a breaking change. In my opinion, using the DefaultAzureCredential here makes sense so we can be as flexible as possible, and overhead of checking all possible types of credentials seems negligible for a database upgrader that will just make one connection to perform the upgrade. Changing or adding the constructors for the AzureSqlConnectionManager class to accept other parameters such as TokenCredential would be a breaking change.
I don't know what @droyad has planned for the next major release, but I agree we should change constructors in that release.

@droyad droyad changed the base branch from main to release/6.0.0 July 26, 2024 07:00
droyad added 3 commits July 26, 2024 17:08
@droyad
Merge branch 'main' of https://github.com/evochriso/dbup-sqlserver in…
b6d4b73 
…to evochriso-main

# Conflicts:
#	src/dbup-sqlserver/AzureSqlConnectionManager.cs
#	src/dbup-sqlserver/dbup-sqlserver.csproj
@droyad
Passed TokenCredential in for Azure connections
a78bf85
@droyad
Undid accidental downgrade
0cbdb1f
@droyad
Copy link
Member

droyad commented Jul 26, 2024

Alright how does that look?

If ok, could you give it a quick manual test and I'll merge it. I don't have AAD Integrated DB on hand.

This was referenced Jul 26, 2024
Merged
Closed
Closed
@peymanr34
Copy link

peymanr34 commented Jul 26, 2024
edited
Loading

Is it necessary to explicitly depend on Azure.Identity? The Microsoft.Data.SqlClient already depends on it.

@droyad
Copy link
Member

droyad commented Jul 27, 2024

Is it necessary to explicitly depend on Azure.Identity?

It does not need it. I've removed it.

@evochriso
Copy link
Contributor Author

@droyad consider the version of Azure.Identity - Microsoft.Data.SqlClient requires Azure.Identity 1.11.3 or greater, but that version of Azure.Identity has a vulnerability and should be bumped to 1.12.0

@peymanr34
Copy link

@droyad consider the version of Azure.Identity - Microsoft.Data.SqlClient requires Azure.Identity 1.11.3 or greater, but that version of Azure.Identity has a vulnerability and should be bumped to 1.12.0

The Microsoft.Data.SqlClient dependencies are a mess, however I think you should do this in your own projects otherwise this repo will become the place to complain/ask to fix Microsoft.Data.SqlClient's bad versioning practices.

@droyad droyad self-assigned this Aug 1, 2024
@droyad
Copy link
Member

droyad commented Sep 30, 2024

The latest SqlClient references Identity 1.11.4 which doesn't have a vulnerability. We'll update SqlClient.

@droyad droyad closed this Sep 30, 2024
@droyad droyad reopened this Sep 30, 2024
@droyad droyad merged commit 32c112f into DbUp:release/6.0.0 Sep 30, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Swampen Swampen Swampen left review comments

Assignees

@droyad droyad

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

dbup-sqlserver uses deprecated Microsoft.Azure.Services.AppAuthentication
5 participants
@evochriso @droyad @Bartleby2718 @peymanr34 @Swampen