Support PostgreSQL role assignments on app specific managed identity (#8209)

* Support PostgreSQL role assignments on app specific managed identity

Adding role assignment support for PostgreSQL following the pattern set in #8140

Contributes to #6161

* Fix publisher tests

* Add ACA RunMode test

Author: eerhardt

playground/AzureContainerApps/AzureContainerApps.AppHost/infra.module.bicep

@@ -75,7 +75,6 @@ resource cae_Contributor 'Microsoft.Authorization/roleAssignments@2022-04-01' =
   properties: {
     principalId: userPrincipalId
     roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
-    principalType: 'ServicePrincipal'
   }
   scope: cae
 }

playground/PostgresEndToEnd/PostgresEndToEnd.ApiService/NpgsqlDataSourceBuilderExtensions.cs

@@ -0,0 +1,121 @@
+using System.Text;
+using System.Text.Json;
+using Azure.Core;
+using Azure.Identity;
+using Npgsql;
+
+/// <summary>
+/// Extension methods for NpgsqlDataSourceBuilder to enable Entra authentication with Azure DB for PostgreSQL.
+/// This class provides methods to configure NpgsqlDataSourceBuilder to use Entra authentication, handling token
+/// acquisition and connection setup. It is not specific to this repository and can be used in any project that
+/// requires Entra authentication with Azure DB for PostgreSQL.
+/// </summary>
+/// <example>
+/// Example usage:
+/// <code>
+/// var dataSourceBuilder = new NpgsqlDataSourceBuilder("{connection string}");
+/// dataSourceBuilder.UseEntraAuthentication();
+/// var dataSource = dataSourceBuilder.Build();
+/// </code>
+/// </example>
+public static class NpgsqlDataSourceBuilderExtensions
+{
+    private static readonly TokenRequestContext s_azureDBForPostgresTokenRequestContext = new(["https://ossrdbms-aad.database.windows.net/.default"]);
+
+    /// <summary>
+    /// Configures the NpgsqlDataSourceBuilder to use Entra authentication.
+    /// </summary>
+    /// <param name="dataSourceBuilder">The NpgsqlDataSourceBuilder instance.</param>
+    /// <param name="credential">The TokenCredential to use for authentication. If not provided, DefaultAzureCredential will be used.</param>
+    /// <returns>The configured NpgsqlDataSourceBuilder instance.</returns>
+    public static NpgsqlDataSourceBuilder UseEntraAuthentication(this NpgsqlDataSourceBuilder dataSourceBuilder, TokenCredential? credential = default)
+    {
+        credential ??= new DefaultAzureCredential();
+
+        if (dataSourceBuilder.ConnectionStringBuilder.Username == null)
+        {
+            var token = credential.GetToken(s_azureDBForPostgresTokenRequestContext, default);
+            SetUsernameFromToken(dataSourceBuilder, token.Token);
+        }
+
+        if (dataSourceBuilder.ConnectionStringBuilder.Password == null)
+        {
+            SetPasswordProvider(dataSourceBuilder, credential, s_azureDBForPostgresTokenRequestContext);
+        }
+
+        return dataSourceBuilder;
+    }
+
+    private static void SetPasswordProvider(NpgsqlDataSourceBuilder dataSourceBuilder, TokenCredential credential, TokenRequestContext tokenRequestContext)
+    {
+        dataSourceBuilder.UsePasswordProvider(_ =>
+        {
+            var token = credential.GetToken(tokenRequestContext, default);
+            return token.Token;
+        }, async (_, ct) =>
+        {
+            var token = await credential.GetTokenAsync(tokenRequestContext, ct).ConfigureAwait(false);
+            return token.Token;
+        });
+    }
+
+    private static void SetUsernameFromToken(NpgsqlDataSourceBuilder dataSourceBuilder, string token)
+    {
+        var username = TryGetUsernameFromToken(token);
+
+        if (username != null)
+        {
+            dataSourceBuilder.ConnectionStringBuilder.Username = username;
+        }
+        else
+        {
+            throw new InvalidOperationException("Could not determine username from token claims");
+        }
+    }
+
+    private static string? TryGetUsernameFromToken(string jwtToken)
+    {
+        // Split the token into its parts (Header, Payload, Signature)
+        var tokenParts = jwtToken.Split('.');
+        if (tokenParts.Length != 3)
+        {
+            return null;
+        }
+
+        // The payload is the second part, Base64Url encoded
+        var payload = tokenParts[1];
+
+        // Add padding if necessary
+        payload = AddBase64Padding(payload);
+
+        // Decode the payload from Base64Url
+        var decodedBytes = Convert.FromBase64String(payload);
+        var decodedPayload = Encoding.UTF8.GetString(decodedBytes);
+
+        // Parse the decoded payload as JSON
+        var payloadJson = JsonSerializer.Deserialize<JsonElement>(decodedPayload);
+
+        // Try to get the username from 'upn', 'preferred_username', or 'unique_name' claims
+        if (payloadJson.TryGetProperty("upn", out var upn))
+        {
+            return upn.GetString();
+        }
+        else if (payloadJson.TryGetProperty("preferred_username", out var preferredUsername))
+        {
+            return preferredUsername.GetString();
+        }
+        else if (payloadJson.TryGetProperty("unique_name", out var uniqueName))
+        {
+            return uniqueName.GetString();
+        }
+
+        return null;
+    }
+
+    private static string AddBase64Padding(string base64) => (base64.Length % 4) switch
+    {
+        2 => base64 + "==",
+        3 => base64 + "=",
+        _ => base64,
+    };
+}

playground/PostgresEndToEnd/PostgresEndToEnd.ApiService/PostgresEndToEnd.ApiService.csproj

@@ -12,6 +12,7 @@
     <PackageReference Include="Npgsql.DependencyInjection" VersionOverride="$(Npgsql8Version)" />
     <PackageReference Include="Npgsql.OpenTelemetry" VersionOverride="$(Npgsql8Version)" />
     <ProjectReference Include="..\..\Playground.ServiceDefaults\Playground.ServiceDefaults.csproj" />
+    <PackageReference Include="Azure.Identity" />
   </ItemGroup>
 
 </Project>

playground/PostgresEndToEnd/PostgresEndToEnd.ApiService/Program.cs

@@ -2,41 +2,29 @@
 // The .NET Foundation licenses this file to you under the MIT license.
 
 using Microsoft.EntityFrameworkCore;
+using Npgsql;
 
 var builder = WebApplication.CreateBuilder(args);
 
 builder.AddServiceDefaults();
 
-builder.AddNpgsqlDbContext<MyDb1Context>("db1");
-builder.AddNpgsqlDbContext<MyDb2Context>("db2");
-builder.AddNpgsqlDbContext<MyDb3Context>("db3");
-builder.AddNpgsqlDbContext<MyDb4Context>("db4");
-builder.AddNpgsqlDbContext<MyDb5Context>("db5");
-builder.AddNpgsqlDbContext<MyDb6Context>("db6");
-builder.AddNpgsqlDbContext<MyDb7Context>("db7");
+var dsBuilder = new NpgsqlDataSourceBuilder(builder.Configuration.GetConnectionString("db1"));
+dsBuilder.UseEntraAuthentication();
 
-var connectionString = builder.Configuration.GetConnectionString("db8");
-builder.Services.AddDbContextPool<MyDb8Context>(dbContextOptionsBuilder => dbContextOptionsBuilder.UseNpgsql(connectionString));
-builder.EnrichNpgsqlDbContext<MyDb8Context>();
-
-builder.AddNpgsqlDbContext<MyDb9Context>("db9");
+builder.AddNpgsqlDbContext<MyDb1Context>("db1",
+    configureDbContextOptions: (options) => options.UseNpgsql(dsBuilder.Build()));
 
 var app = builder.Build();
 
 app.MapDefaultEndpoints();
-app.MapGet("/", async (MyDb1Context db1Context, MyDb2Context db2Context, MyDb3Context db3Context, MyDb4Context db4Context, MyDb5Context db5Context, MyDb6Context db6Context, MyDb7Context db7Context, MyDb8Context db8Context, MyDb9Context db9Context) =>
+var firstTime = true;
+app.MapGet("/", async (MyDb1Context db1Context) =>
 {
-    // You wouldn't normally do this on every call,
-    // but doing it here just to make this simple.
-    db1Context.Database.EnsureCreated();
-    db2Context.Database.EnsureCreated();
-    db3Context.Database.EnsureCreated();
-    db4Context.Database.EnsureCreated();
-    db5Context.Database.EnsureCreated();
-    db6Context.Database.EnsureCreated();
-    db7Context.Database.EnsureCreated();
-    db8Context.Database.EnsureCreated();
-    db9Context.Database.EnsureCreated();
+    if (firstTime)
+    {
+        firstTime = false;
+        db1Context.Database.EnsureCreated();
+    }
 
     // We only work with db1Context for the rest of this
     // since we've proven connectivity to the others for now.
@@ -67,102 +55,6 @@ protected override void OnModelCreating(ModelBuilder modelBuilder)
     public DbSet<Entry> Entries { get; set; }
 }
 
-public class MyDb2Context(DbContextOptions<MyDb2Context> options) : DbContext(options)
-{
-    protected override void OnModelCreating(ModelBuilder modelBuilder)
-    {
-        base.OnModelCreating(modelBuilder);
-
-        modelBuilder.Entity<Entry>().HasKey(e => e.Id);
-    }
-
-    public DbSet<Entry> Entries { get; set; }
-}
-
-public class MyDb3Context(DbContextOptions<MyDb3Context> options) : DbContext(options)
-{
-    protected override void OnModelCreating(ModelBuilder modelBuilder)
-    {
-        base.OnModelCreating(modelBuilder);
-
-        modelBuilder.Entity<Entry>().HasKey(e => e.Id);
-    }
-
-    public DbSet<Entry> Entries { get; set; }
-}
-
-public class MyDb4Context(DbContextOptions<MyDb4Context> options) : DbContext(options)
-{
-    protected override void OnModelCreating(ModelBuilder modelBuilder)
-    {
-        base.OnModelCreating(modelBuilder);
-
-        modelBuilder.Entity<Entry>().HasKey(e => e.Id);
-    }
-
-    public DbSet<Entry> Entries { get; set; }
-}
-
-public class MyDb5Context(DbContextOptions<MyDb5Context> options) : DbContext(options)
-{
-    protected override void OnModelCreating(ModelBuilder modelBuilder)
-    {
-        base.OnModelCreating(modelBuilder);
-
-        modelBuilder.Entity<Entry>().HasKey(e => e.Id);
-    }
-
-    public DbSet<Entry> Entries { get; set; }
-}
-
-public class MyDb6Context(DbContextOptions<MyDb6Context> options) : DbContext(options)
-{
-    protected override void OnModelCreating(ModelBuilder modelBuilder)
-    {
-        base.OnModelCreating(modelBuilder);
-
-        modelBuilder.Entity<Entry>().HasKey(e => e.Id);
-    }
-
-    public DbSet<Entry> Entries { get; set; }
-}
-
-public class MyDb7Context(DbContextOptions<MyDb7Context> options) : DbContext(options)
-{
-    protected override void OnModelCreating(ModelBuilder modelBuilder)
-    {
-        base.OnModelCreating(modelBuilder);
-
-        modelBuilder.Entity<Entry>().HasKey(e => e.Id);
-    }
-
-    public DbSet<Entry> Entries { get; set; }
-}
-
-public class MyDb8Context(DbContextOptions<MyDb8Context> options) : DbContext(options)
-{
-    protected override void OnModelCreating(ModelBuilder modelBuilder)
-    {
-        base.OnModelCreating(modelBuilder);
-
-        modelBuilder.Entity<Entry>().HasKey(e => e.Id);
-    }
-
-    public DbSet<Entry> Entries { get; set; }
-}
-
-public class MyDb9Context(DbContextOptions<MyDb9Context> options) : DbContext(options)
-{
-    protected override void OnModelCreating(ModelBuilder modelBuilder)
-    {
-        base.OnModelCreating(modelBuilder);
-
-        modelBuilder.Entity<Entry>().HasKey(e => e.Id);
-    }
-
-    public DbSet<Entry> Entries { get; set; }
-}
-
 public class Entry
 {
     public Guid Id { get; set; } = Guid.NewGuid();

playground/PostgresEndToEnd/PostgresEndToEnd.AppHost/PostgresEndToEnd.AppHost.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <OutputType>Exe</OutputType>
@@ -15,6 +15,7 @@
 
   <ItemGroup>
     <AspireProjectOrPackageReference Include="Aspire.Hosting.AppHost" />
+    <AspireProjectOrPackageReference Include="Aspire.Hosting.Azure.PostgreSQL" />
     <AspireProjectOrPackageReference Include="Aspire.Hosting.PostgreSQL" />
 
     <ProjectReference Include="..\PostgresEndToEnd.ApiService\PostgresEndToEnd.ApiService.csproj" />

playground/PostgresEndToEnd/PostgresEndToEnd.AppHost/Program.cs

@@ -3,39 +3,14 @@
 
 var builder = DistributedApplication.CreateBuilder(args);
 
-// Abstract resources.
-var db1 = builder.AddPostgres("pg1").WithPgAdmin().AddDatabase("db1");
-var db2 = builder.AddPostgres("pg2").WithPgAdmin().AddDatabase("db2");
-var pg3 = builder.AddPostgres("pg3").WithPgAdmin();
-var db3 = pg3.AddDatabase("db3");
-var db4 = pg3.AddDatabase("db4");
-
-// Containerized resources.
-var db5 = builder.AddPostgres("pg4").WithPgAdmin().PublishAsContainer().AddDatabase("db5");
-var db6 = builder.AddPostgres("pg5").WithPgAdmin().PublishAsContainer().AddDatabase("db6");
-var pg6 = builder.AddPostgres("pg6").WithPgAdmin(c => c.WithHostPort(8999)).PublishAsContainer();
-var db7 = pg6.AddDatabase("db7");
-var db8 = pg6.AddDatabase("db8");
-var db9 = pg6.AddDatabase("db9", "db8"); // different connection string (db9) on same database as db8
-
-// External resources.
-var db10 = builder.AddPostgres("pg10").WithPgAdmin().PublishAsConnectionString().AddDatabase("db10");
-
-var db11 = builder.AddPostgres("pg11").WithPgWeb().AddDatabase("postgres");
+var db1 = builder.AddAzurePostgresFlexibleServer("pg")
+                 .RunAsContainer()
+                 .AddDatabase("db1");
 
 builder.AddProject<Projects.PostgresEndToEnd_ApiService>("api")
        .WithExternalHttpEndpoints()
-       .WithReference(db1)
-       .WithReference(db2)
-       .WithReference(db3)
-       .WithReference(db4)
-       .WithReference(db5)
-       .WithReference(db6)
-       .WithReference(db7)
-       .WithReference(db8)
-       .WithReference(db9)
-       .WithReference(db10)
-       .WithReference(db11);
+       .WithReference(db1).WaitFor(db1);
+
 #if !SKIP_DASHBOARD_REFERENCE
 // This project is only added in playground projects to support development/debugging
 // of the dashboard. It is not required in end developer code. Comment out this code