From 2d55dd1028f46e2ab99fa05a1317fe0de3b9fe17 Mon Sep 17 00:00:00 2001
From: Vincent Renaville <vincent.renaville@camptocamp.com>
Date: Thu, 22 Jul 2021 10:26:50 +0200
Subject: [PATCH] [IMP] Add identity (#238)

* [IMP] can use ad identity to access storage
---
 attachment_azure/__manifest__.py         |  2 +-
 attachment_azure/models/ir_attachment.py | 23 +++++++++++++++++++++--
 requirements.txt                         |  1 +
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/attachment_azure/__manifest__.py b/attachment_azure/__manifest__.py
index 5774934..f685f39 100644
--- a/attachment_azure/__manifest__.py
+++ b/attachment_azure/__manifest__.py
@@ -13,7 +13,7 @@
     "category": "Knowledge Management",
     "depends": ["base_attachment_object_storage"],
     "external_dependencies": {
-        "python": ["azure-storage-blob"],
+        "python": ["azure-storage-blob", "azure-identity"],
     },
     "website": "https://github.com/camptocamp/odoo-cloud-platform",
     "installable": True,
diff --git a/attachment_azure/models/ir_attachment.py b/attachment_azure/models/ir_attachment.py
index 9576d49..134d860 100644
--- a/attachment_azure/models/ir_attachment.py
+++ b/attachment_azure/models/ir_attachment.py
@@ -22,6 +22,11 @@ try:
 except ImportError:
     _logger.debug("Cannot 'import azure-storage-blob'.")
 
+try:
+    from azure.identity import DefaultAzureCredential
+except ImportError:
+    _logger.debug("Cannot 'import azure-identity'.")
+
 
 class IrAttachment(models.Model):
     _inherit = "ir.attachment"
@@ -41,13 +46,20 @@ class IrAttachment(models.Model):
         * ``AZURE_STORAGE_ACCOUNT_NAME``
         * ``AZURE_STORAGE_ACCOUNT_URL``
         * ``AZURE_STORAGE_ACCOUNT_KEY``
+        or if you want to use AAD (pod identity), set it to 1 or 0
+        * ``AZURE_STORAGE_USE_AAD``
 
         """
         connect_str = os.environ.get("AZURE_STORAGE_CONNECTION_STRING")
         account_name = os.environ.get("AZURE_STORAGE_ACCOUNT_NAME")
         account_url = os.environ.get("AZURE_STORAGE_ACCOUNT_URL")
         account_key = os.environ.get("AZURE_STORAGE_ACCOUNT_KEY")
-        if not (connect_str or (account_name and account_url and account_key)):
+        account_use_aad = os.environ.get("AZURE_STORAGE_USE_AAD")
+        if not (
+            connect_str
+            or (account_name and account_url and account_key)
+            or account_use_aad
+        ):
             msg = _(
                 "If you want to read from the Azure container, you must provide the "
                 "following environment variables:\n"
@@ -56,10 +68,17 @@ class IrAttachment(models.Model):
                 "* AZURE_STORAGE_ACCOUNT_NAME\n"
                 "* AZURE_STORAGE_ACCOUNT_URL\n"
                 "* AZURE_STORAGE_ACCOUNT_KEY\n"
+                "or\n"
+                "* AZURE_STORAGE_USE_AAD\n"
             )
             raise exceptions.UserError(msg)
         blob_service_client = None
-        if connect_str:
+        if account_use_aad:
+            token_credential = DefaultAzureCredential()
+            blob_service_client = BlobServiceClient(
+                account_url=account_url, credential=token_credential
+            )
+        elif connect_str:
             try:
                 blob_service_client = BlobServiceClient.from_connection_string(
                     connect_str
diff --git a/requirements.txt b/requirements.txt
index babf6fc..8d39c30 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,5 @@
 azure-storage-blob==12.8.1
+azure-identity==1.6.0
 boto3==1.9.102
 redis==2.10.5
 python-json-logger==0.1.5