While investigating a bug that wound up simply being NRP taking 3 minutes to update a NIC... I noticed a different bug in the Azure SDK for Go:

1. T=0: PUT operation to update NIC (async response)
2. T=10: GET on operation status (in progress)
3. T=70: GET on operation status (in progress)
4. T=130: GET on operation status (in progress)
5. T=190: GET on operation status (success)

Problem is, first response includes RetryAfter, but the responses from GET operation status do not include the header.

Proposed: stash the RetryAfter from the initial PUT and use that as a fallback before the Client's DefaultPollingInterval.

cc: @brendandixon for thoughts on if this is okay, or if the polling needs to backoff, even though the API said to retryafter a certain interval.

Refactoring into the adal package broke the examples. Proposed fix with Azure/azure-sdk-for-go#600

There's no any unit test existing for token.go file, please create one.

I am creating this issue to collect your thoughts about AAD v2. The current implementation supports AAD v1, but would be nice to have some support for v2 which implements the OIDC specs.

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-compare

I am not sure if there are any particularities in AAD v2, or one can use an exiting Go package such as https://github.com/coreos/go-oidc to acquire an id_token.

cc @colemickens @marstr

The commit tagged v7.2.3 will still report as v7.2.2 using the autorest.Version() function.

This is discussed more thoroughly in Azure/azure-sdk-for-go#544 and Azure/azure-sdk-for-go#404. However, the crux of the issue is that in order to take advantage of Go's HTTP Library and connection re-use, the Response Body must be read to completion before the connection is closed.

and

I feel like if this method gets called multiple times with different userAgent strings, they will all have the same user agent string. The solution might be GetDefaultClient() that returns a client.

Per our discussion at Azure/azure-sdk-for-go#262 we should probably stop using Godeps for this library repository. Also I noticed the SDK vendors the same dependencies as here over there. So it's probably redundant.

I believe some code that lives in this repo should live inside an ADAL repo. There is ADAL for other languages, including Java, Node, Ruby, etc.
@cosmincojocar I know you have used Go before, and also have worked on ADAL for other languages. What do you think?
cc @jhendrixMSFT @marstr @salameer

👋

We're provisioning a Search Service through the Azure SDK for Go - and have noticed since ~mid July that the deployment times have been increasing.

Upon further investigation - it appears that AutoRest doesn't handle the provisioningState field being lower-case - as is the case in the Search Service API:

After sending this request:

{
	"location": "westeurope",
	"tags": {
		"database": "test",
		"environment": "staging"
	},
	"properties": {},
	"sku": {
		"name": "standard"
	}
}

and polling:

{
	"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tharvey-dev2/providers/Microsoft.Search/searchServices/tharveysearch",
	"name": "tharveysearch",
	"type": "Microsoft.Search/searchServices",
	"location": "West Europe",
	"tags": {
		"database": "test",
		"environment": "staging"
	},
	"properties": {
		"replicaCount": 1,
		"partitionCount": 1,
		"status": "provisioning",
		"statusDetails": "",
		"provisioningState": "provisioning",
		"hostingMode": "Default"
	},
	"sku": {
		"name": "standard"
	}
}

which, eventually returns the following:

{
	"id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/tharvey-dev2/providers/Microsoft.Search/searchServices/tharveysearch",
	"name": "tharveysearch",
	"type": "Microsoft.Search/searchServices",
	"location": "West Europe",
	"tags": {
		"database": "test",
		"environment": "staging"
	},
	"properties": {
		"replicaCount": 1,
		"partitionCount": 1,
		"status": "running",
		"statusDetails": "",
		"provisioningState": "succeeded",
		"hostingMode": "Default"
	},
	"sku": {
		"name": "standard"
	}
}

However the SDK continues polling indefinitely (see below, the first successful response is highlighted):

Upon updating this line to be lower-case and rebuilding - the SDK appears to work as expected.

As such - would it be possible to update AutoRest to allow this field to be case insensitive?

On a related note - it appears the Portal is shying users away from creating new Search Services - is it Deprecated / EOL'd? Screenshot from the Portal - which appears to be applicable in every region:

Thanks!

I started seeing multiple http.Client{}s around the codebase, it's not immediately clear to me how we can consolidate these.

• client.go
• sender.go #1
• sender.go #2

I just had to add a custom http.Transport setting to 3 different places to change the behavior.

User should be able to set a HTTP client in a single place to be used in all requests.

@brendandixon

{
    "error": {
        "code": "InvalidAuthenticationTokenAudience",
        "message": "The access token has been obtained from wrong audience or resource 'https://management.usgovcloudapi.net'. It should exactly match (including forward slash) with one of the allowed audiences 'https://management.core.usgovcloudapi.net/','https://management.usgovcloudapi.net/'."
    }
}

The fix is to add a trailing '/'. 👍 I'll send a PR.

The current implementation of AccessTokensPath in go-autorest have very strong dependency on its path, we want to get rid of hard dependency here. az login might be a good solution here.

Hi,
Have you ever tried adal on azure stack env? I have been using adal in azure stack env, trying to use service principal connecting to azure stack, while I always got below error:
2017/08/04 07:40:17 Error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://adminmanagement.local.azurestack.external/subscriptions/a3368291-e427-41b0-b790-66b7be21017b/providers/Microsoft.Storage/checkNameAvailability?api-version=2015-06-15: StatusCode=0 -- Original Error: adal: Refresh request failed. Status Code = '400'

And then If I comment out below line in adal, it would proceed.

https://github.com/Azure/go-autorest/blob/master/autorest/adal/token.go#L373

https://github.com/Azure/go-autorest/blob/master/autorest/azure/environments.go#L21

Please add the ACR suffix to this struct and then for each environment that is defined.

I'm unsure if this is the right place to log this issue, but I'm experimenting with the recently announced configurable token lifetimes feature in AAD. The purpose is to enforce an idle timeout for Kubernetes (kubectl) users so that they must re-authenticate to Azure after a given amount of idle time. In our scenario, we have OIDC enabled in Kubernetes and we're finding developers are sharing their config files (despite being told not to). We're looking to (partially) mitigate this by enforcing more frequent authentications.

To achieve this, I'm setting the "Refresh Token Max Inactive Time" property in a custom policy and linking it to the AAD object that represents the k8s API. When this policy is active, kubectl is unable to re-authenticate the user and acquire a new refresh token after the idle timeout period is reached:

E1116 09:51:11.431092 3771 azure.go:126] Failed to acquire a token: refreshing the expired token: refreshing token: adal: Refresh request failed. Status Code = '400' Unable to connect to the server: acquiring a token for authorization header: refreshing the expired token: refreshing token: adal: Refresh request failed. Status Code = '400'

I suppose this could be a issue related to AAD, the ADAL Go library, or even the kubectl plug-in for Azure. I'm looking for guidance as to where this issue would best be reported and what further information I can provide.

We are doing ARM calls with AAD service principal authorization

This could fail with authentication. Right now the returned error has information like below:
autorest#WithErrorUnlessStatusCode: POST https://login.microsoftonline.com/xxxxxxxxx/oauth2/token?api-version=1.0 failed with 400 Bad Request: StatusCode=400

autorest#WithErrorUnlessStatusCode: POST https://login.microsoftonline.com/xxxxxxxxx/oauth2/token?api-version=1.0 failed with 401 Unauthorized: StatusCode=401

However there are many reasons that Graph API can give you 400. Is it possible to expose the additional error code from the response?

😭 😭 😭 😭 😭

As suggested by @JackQuincy in Azure/azure-sdk-for-go#658

Azure/autorest#2672

I have a request/response inspector set on the client that prints every request/response. For Azure long-running operations the inspection for the polling "requests" is missing (but their response is inspected just fine):

• Azure request method="PUT" request="https://management.azure.com/subscriptions/27b750cd-ed43-42fd-9044-8d75e124ae55/resourceGroups/docker-machine/providers/Microsoft.Network/networkSecurityGroups/foo0-firewall?api-version=2015-06-15"
• Azure response method="PUT" request="https://management.azure.com/subscriptions/27b750cd-ed43-42fd-9044-8d75e124ae55/resourceGroups/docker-machine/providers/Microsoft.Network/networkSecurityGroups/foo0-firewall?api-version=2015-06-15" x-ms-request-id="e992d5dd-0255-4e8b-bff8-e9aeb49b5c3d" status="201 Created"
• Azure response x-ms-request-id="dc65e42f-569a-4a29-b9dd-bbcd6e17ae49" status="200 OK" method="GET" request="https://management.azure.com/subscriptions/27b750cd-ed43-42fd-9044-8d75e124ae55/providers/Microsoft.Network/locations/westus/operations/e992d5dd-0255-4e8b-bff8-e9aeb49b5c3d?api-version=2015-06-15"

so the request of the last response is missing.

Or is it just to stage up breaking changes so they can be released together to avoid churn?

I ask, because I'm adding MSI because I need it for Kubernetes. I can't consume a non-master branch of go-autorest in Kubernetes so I need to be able to reason about when 'dev' will get merged into 'master'.

Thanks!

many of the packages that are for azure-sdk-for-go fail because it's trying to send 2 arguments to a func that receives only one.

Azure/azure-sdk-for-go/arm/network/applicationgateways.go:103: too many arguments in call to azure.DoPollForAsynchronous

applicationgateways.go: 103:
azure.DoPollForAsynchronous(autorest.DefaultPollingDuration,
autorest.DefaultPollingDelay))

async.go:
func DoPollForAsynchronous(delay time.Duration) autorest.SendDecorator {

👋

I've seen this recent PR which changes the way that Long Running Operations are handled, such that it effectively removes the polling support from the SDK and instead pushed that onto consumers of the SDK.

Within Terraform, we rely pretty heavily on the automatic polling available within the Go SDK - as such I'm concerned that removing these methods will lead to a considerable increase in code (and thus complexity) for us - when currently this is one of the major benefits of using the Go SDK over when we used to use the Riviera SDK.

As such - are there any plans around to expose a polling method available within the SDK to preserve the current behaviour? I can certainly see the desire for the SDK to return the current state - however polling until the resource is ready is also a really handy function of the SDK at this point :)

Thanks!

I sometimes see an error like this:

error response cannot be parsed: "\ufeff{\"odata.error\":{\"code\":\"Request_MultipleObjectsWithSameKeyValue\",\"message\":{\"lang\":\"en\",\"value\":\"Another object with the same value for property servicePrincipalNames already exists.\"},\"requestId\":\"46a97035-e286-4d41-8eee-ae33de2f0288\",\"date\":\"2017-01-18T12:31:21\"}}" error: invalid character 'ï' looking for beginning of value

It looks like the error response from Azure sometimes contains a byte-order mark that Go's JSON decoder does not like. It should probably be trimmed before parsing.

autorest/client.go:

Some RPs (for some endpoints) drop the Retry-After header and they actually return an Azure-AsyncOperation header even though the operation was completed (response body actually has field "provisioningStatus": "succeeded").

Just because they return the header anyway and omit Retry-After we wait full 60 seconds doing nothing. This especially impacts docker-machine user experience and puts us behind. During a docker-machine creation, we wait full 60 seconds about 3-4 times (so losing 3-4 minutes for nothing). I'd love to set this to 10 or 15 seconds if it was possible.

@brendandixon is it ok to make this field a var, not a const?

I need to authorize clients with standard OAuth2 authorization flow. It seems that only secret, certificate and device flows are supported now. For example, other SDKs have
AcquireTokenWithAuthorizationCode method. Any plans to support it?

Any chance we could get a newer release tag with some of the updates that have hit master since v0.1-alpha? 😄

There's a disagreement on naming style for the various clouds.

We have AzureGermanCloud and AzureChinaCloud. It seems more appropriate for German to be Germany.

The Azure XPlat CLI does the same thing.

When I make a request to the Azure API that returns an error,
I see a response like this:

{"odata.error":{"code":"Request_ResourceNotFound","message":{"lang":"en","value":"Resource not found for the segment 'me'."}}}

This ends up producing an error like:

graphrbac.ObjectsClient#GetCurrentUser: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="Unknown" Message="Unknown service error"

because azure.ServiceError does not define the correct response type.

See here: Azure/acs-engine#194 (comment)

We got new validation code in the latest version of the SDK. When we upgraded in Kubernetes, it broke a core scenario - being able to create load balancers.

Error message:
servicecontroller.go:760] Failed to process service. Retrying in 1m20s: Failed to create load balancer for service default/nginx: network.SecurityGroupsClient#CreateOrUpdate: Invalid input: autorest/validation: validation failed: parameter=parameters.SecurityGroupPropertiesFormat.Subnets constraint=ReadOnly value=[]network.Subnet{network.Subnet{Response:autorest.Response{Response:(*http.Response)(nil)}, ID:(*string)(0xc4228be160), SubnetPropertiesFormat:(*network.SubnetPropertiesFormat)(nil), Name:(*string)(nil), Etag:(*string)(nil)}} details: readonly parameter; must send as nil or empty in request

Not sure what the recommended course of action here is. I'm not 100% up on what these validations do... but I know they're blocking a scenario that was perfectly functional before.

Further, discussion of PUT semantics today imply that such fields must be submitted, but simply shouldn't be changed (which is not something client SDK validation should be checking).

cc: @brendandburns

I'm getting azure:newPollingRequest 0 Azure Polling Error - Unable to obtain polling URI for GET.

The initial PUT get's a response that includes the Azure-AsyncOperation header. It waits for the next poll. On the next poll, it does a GET to the url specified in Azure-AsyncOperation header returned from the PUT.

The response to the GET for the operation status looks like this. There are no relevant async headers.

{
    "status": "Running"
}

go-autorest: 55fe4db
azure-sdk-for-go: be84778f55e21fa9fa5e6964de5332d8f04d3df1

gulp test:go in AutoRest is not passing some time related tests. The most recent go-autorest commit that passes the tests is 8b2eba76ed1c60ffcb68f312d7cff2671516c08e

If RetriableRequests are nested the outer one will become invalid leading to errors due to EOF. Need to refactor RR to avoid this.

As described in Azure/autorest#2601, when a response is a 429 the default behavior should be to wait 20 seconds, or the duration of the Retry-After header. At the moment the behavior is to not retry or wait the duration of the Retry-After header.

And ate the cookies.
A new client and cookie jar are created everytime the autorest.Client Do() implementation is executed. However, as the retries have been moved out of Do(), they no longer benefit from the cookie jar.
Some acceptance tests in https://github.com/Azure/autorest.go depend on cookies.

@colemickens - I would like your opinion on this.

We've had a request from the Packer community to support Azure Stack. My thinking is that the user of Packer creates a JSON document detailing their Environment. Packer can then deserializes the JSON, and the code has an Environment instance appropriate to them. I think the only change I have to on make is to add the appropriate annotations on the existing Environment type. Does this make sense? If so, I will prepare a PR with the change.

Offer opinionated method for obtaining an Authorizer which tries in order: 1) Service Principal from consts and/or env vars 2) Managed Service Identity (MSI)

Today, the way go-autorest retries is not flexible enough.
Related issue
Azure/azure-sdk-for-go#714
@yuwaMSFT2

As noted by @tombuildsstuff in Azure/azure-rest-api-specs#1324, when an optional parameter has a constraint, that constraint shouldn't be enforced when the value isn't provided at all.

I've tracked down this issue to here: https://github.com/Azure/go-autorest/blob/master/autorest/validation/validation.go#L105

I'm working on a solution now.

Hi azure sdk team

I found an issue when using the keyvault client. I created a service principal with this line

spToken, err := adal.NewServicePrincipalToken(*oauthConfig, sp.ID, sp.Password, env.KeyVaultEndpoint)

Note that when env is PublicCloud, it would resolve to https://vault.azure.net/

The back slash at the end of the URL is causing trouble and will cause an error like this when the code is run

keyvault.ManagementClient#GetKey: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: error response cannot be parsed: "" error: EOF

Removing the back slash as the end like this https://vault.azure.net works

I realize there's some irony in me having written some of this, but I'm confused how cert auth is working at all. Or at least in any scenario that requires refreshing...

As far as I can tell, in refreshInternal it always sets the grant_type to client_credentials even if a cert is used... I'm shocked this is working for cert cases (but it is because @jkapil uses it...)

We should probably set the grant_type inside SetAuthValues as we do for the other fields... But still... how is this working?

cc: @jkapil @Cosmincojocar

Investigate adding a mechanism for automatically refreshing oath tokens.

The extra /autorest/ segment in the go import path hierarchy does not make sense, if we do not any use case for that we should probably eventually get rid of it.

It will be a breaking change but customers must be using some vending solution by now.

As of

The KeyVaultEndpoint is https://vault.azure.net/

If using that KeyVaultEndpoint as AAD's resource, following https://github.com/Azure/go-autorest/blob/master/autorest/azure/example/main.go#L86

It result in 401 response with following header:

Www-Authenticate:[Bearer authorization="https://login.windows.net/xxx", resource="https://vault.azure.net"]

If manually specify https://vault.azure.net (no tailing slash), the request will succeed.

See also:
https://github.com/Azure/azure-sdk-for-python/blob/5e51e1f4a404f8c1d87227da14a68ca924bc180c/doc/sample_azure-keyvault.rst

Adding the tailing slash makes the endpoints consistent, but then the SDK it's not usable. User has to manually tune those endpoints, and it does not make sense for multi-cloud environments.

Shall we ask the service to accept the ending slash, or change the SDK?

Hi!

While all other tests use mocks correctly to avoid depending on DNS or connectivity to the internet, TestClientDoSetsUserAgent is missing such mock, and triggers a DNS query (this is a bug in Debian). This small patch fixes that:

--- a/autorest/client_test.go
+++ b/autorest/client_test.go
@@ -151,6 +151,8 @@
    ua := "UserAgent"
    c := Client{UserAgent: ua}
    r := mocks.NewRequest()
+   s := mocks.NewSender()
+   c.Sender = s

    c.Do(r)

The code today expects the called to encode any path parameters ahead of time. Is it more reasonable for the WithPathParameters to do so. I tend to think so, but there may be valid reasons not to.

Thoughts?

       p := map[string]interface{}{
        "secret-name": autorest.Encode("path", secretName),
    }
    q := map[string]interface{}{
        "api-version": AzureVaultApiVersion,
    }

    req, err := autorest.Prepare(
        &http.Request{},
        autorest.AsGet(),
        autorest.WithBaseURL(client.getVaultUrl(vaultName)),
        autorest.WithPathParameters("/secrets/{secret-name}", p),
        autorest.WithQueryParameters(q))

cc: @paulmey source issue

1.1.0 does not appear in the changelog . :) @colemickens @brendandixon