Merge branch 'dapr:main' into main

Author: swatimodi-scout

.github/scripts/components-scripts/conformance-bindings.azure.eventgrid-setup.sh

@@ -2,16 +2,48 @@
 
 set -e
 
-# Start ngrok
-wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip
-unzip -qq ngrok-stable-linux-amd64.zip
+echo "Downloading ngrok..."
+wget https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz
+tar -xzf ngrok-v3-stable-linux-amd64.tgz
 ./ngrok authtoken ${AzureEventGridNgrokToken}
-./ngrok http -log=stdout --log-level debug -host-header=localhost 9000 > /tmp/ngrok.log &
+
+echo "Starting ngrok tunnel..."
+./ngrok http --log=stdout --log-level=debug --host-header=localhost 9000 > /tmp/ngrok.log 2>&1 &
+NGROK_PID=$!
+
+echo "Waiting for ngrok to start..."
 sleep 10
 
-NGROK_ENDPOINT=`cat /tmp/ngrok.log |  grep -Eom1 'https://.*' | sed 's/\s.*//'`
+# Ensure ngrok is still running
+if ! kill -0 $NGROK_PID 2>/dev/null; then
+    echo "Ngrok process died. Log output:"
+    cat /tmp/ngrok.log
+    exit 1
+fi
+
+echo "Getting tunnel URL from ngrok API..."
+MAX_RETRIES=30
+RETRY_COUNT=0
+
+while [ $RETRY_COUNT -lt $MAX_RETRIES ]; do
+    if curl -s http://localhost:4040/api/tunnels > /tmp/ngrok_api.json 2>/dev/null; then
+        # Extract the public URL from the API response
+        NGROK_ENDPOINT=$(cat /tmp/ngrok_api.json | grep -o '"public_url":"[^"]*"' | head -1 | cut -d'"' -f4)
+        
+        if [ -n "$NGROK_ENDPOINT" ] && [ "$NGROK_ENDPOINT" != "null" ]; then
+            echo "Successfully got tunnel URL from API: $NGROK_ENDPOINT"
+            break
+        fi
+    fi
+    
+    echo "Waiting for ngrok API to be ready... (attempt $((RETRY_COUNT + 1))/$MAX_RETRIES)"
+    sleep 2
+    RETRY_COUNT=$((RETRY_COUNT + 1))
+done
+
 echo "Ngrok endpoint: ${NGROK_ENDPOINT}"
 echo "AzureEventGridSubscriberEndpoint=${NGROK_ENDPOINT}/api/events" >> $GITHUB_ENV
+echo "Ngrok log:"
 cat /tmp/ngrok.log
 
 # Schedule trigger to kill ngrok

.github/workflows/components-contrib-all.yml

@@ -68,19 +68,20 @@ jobs:
       GOLANGCI_LINT_VER: "v1.64.6"
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-latest, macOS-latest]
+        # TODO: @nelson-parente Upgrade macos latest once dns is fixed.
+        os: [ubuntu-latest, windows-latest, macos-14]
         target_arch: [arm, amd64]
         include:
           - os: ubuntu-latest
             target_os: linux
           - os: windows-latest
             target_os: windows
-          - os: macOS-latest
+          - os: macos-14
             target_os: darwin
         exclude:
           - os: windows-latest
             target_arch: arm
-          - os: macOS-latest
+          - os: macos-14
             target_arch: arm
     steps:
       - name: Set default payload repo and ref

bindings/azure/eventgrid/eventgrid.go

@@ -51,9 +51,14 @@ const (
 	// Format for the "jwks_uri" endpoint
 	// The %s refers to the tenant ID
 	jwksURIFormat = "https://login.microsoftonline.com/%s/discovery/v2.0/keys"
-	// Format for the "iss" claim in the JWT
+	// Format for the "iss" claim in the JWT (Azure AD v2.0)
 	// The %s refers to the tenant ID
 	jwtIssuerFormat = "https://login.microsoftonline.com/%s/v2.0"
+	// Format for the "iss" claim in the JWT (Azure AD v1.0 - legacy)
+	// The %s refers to the tenant ID
+	jwtIssuerV1Format = "https://sts.windows.net/%s/"
+	// Eventgrid managed identity issuer
+	eventGridIssuer = "https://eventgrid.azure.net"
 )
 
 // AzureEventGrid allows sending/receiving Azure Event Grid events.
@@ -111,34 +116,113 @@ func (a *AzureEventGrid) Init(_ context.Context, metadata bindings.Metadata) err
 
 var matchAuthHeader = regexp.MustCompile(`(?i)^(Bearer )?(([A-Za-z0-9_-]+\.){2}[A-Za-z0-9_-]+)$`)
 
-func (a *AzureEventGrid) validateAuthHeader(ctx context.Context, authorizationHeader string) bool {
+func (a *AzureEventGrid) validateAuthHeader(ctx *fasthttp.RequestCtx) bool {
 	// Extract the bearer token from the header
+	authorizationHeader := string(ctx.Request.Header.Peek("authorization"))
 	if authorizationHeader == "" {
 		a.logger.Error("Incoming webhook request does not contain an Authorization header")
 		return false
 	}
+
 	match := matchAuthHeader.FindStringSubmatch(authorizationHeader)
 	if len(match) < 3 {
 		a.logger.Error("Incoming webhook request does not contain a valid bearer token in the Authorization header")
 		return false
 	}
 	token := match[2]
 
-	// Validate the JWT
-	_, err := jwt.ParseString(
-		token,
-		jwt.WithKeySet(a.jwks, jws.WithInferAlgorithmFromKey(true)),
-		jwt.WithAudience(a.metadata.azureClientID),
-		jwt.WithIssuer(fmt.Sprintf(jwtIssuerFormat, a.metadata.azureTenantID)),
-		jwt.WithAcceptableSkew(5*time.Minute),
-		jwt.WithContext(ctx),
-	)
+	// First, parse the JWT to see what claims we received
+	parsedToken, err := jwt.ParseString(token, jwt.WithVerify(false))
 	if err != nil {
-		a.logger.Errorf("Failed to validate JWT in the incoming webhook request: %v", err)
+		a.logger.Errorf("Failed to parse JWT: %v", err)
 		return false
 	}
 
-	return true
+	actualIssuer := parsedToken.Issuer()
+	azureADV2Issuer := fmt.Sprintf(jwtIssuerFormat, a.metadata.azureTenantID)
+	expectedAudience := a.metadata.azureClientID
+	switch actualIssuer {
+	case azureADV2Issuer:
+		// AzureAD v2.0 issuer
+		_, err = jwt.ParseString(
+			token,
+			jwt.WithKeySet(a.jwks, jws.WithInferAlgorithmFromKey(true)),
+			jwt.WithAudience(expectedAudience),
+			jwt.WithIssuer(azureADV2Issuer),
+			jwt.WithAcceptableSkew(5*time.Minute),
+			jwt.WithContext(context.Background()),
+		)
+		if err == nil {
+			return true
+		}
+
+		// Also check webhook URL as audience
+		_, err = jwt.ParseString(
+			token,
+			jwt.WithKeySet(a.jwks, jws.WithInferAlgorithmFromKey(true)),
+			jwt.WithAudience(a.metadata.SubscriberEndpoint),
+			jwt.WithIssuer(azureADV2Issuer),
+			jwt.WithAcceptableSkew(5*time.Minute),
+			jwt.WithContext(context.Background()),
+		)
+		if err == nil {
+			return true
+		}
+
+		a.logger.Errorf("JWT validation failed for AzureAD v2.0 issuer")
+		return false
+
+	case fmt.Sprintf(jwtIssuerV1Format, a.metadata.azureTenantID):
+		// AzureAD v1.0 issuer
+		a.logger.Infof("Detected AzureAD v1.0 issuer, validating...")
+		_, err = jwt.ParseString(
+			token,
+			jwt.WithKeySet(a.jwks, jws.WithInferAlgorithmFromKey(true)),
+			jwt.WithAudience(expectedAudience),
+			jwt.WithIssuer(actualIssuer),
+			jwt.WithAcceptableSkew(5*time.Minute),
+			jwt.WithContext(context.Background()),
+		)
+		if err == nil {
+			return true
+		}
+		_, err = jwt.ParseString(
+			token,
+			jwt.WithKeySet(a.jwks, jws.WithInferAlgorithmFromKey(true)),
+			jwt.WithAudience(a.metadata.SubscriberEndpoint),
+			jwt.WithIssuer(actualIssuer),
+			jwt.WithAcceptableSkew(5*time.Minute),
+			jwt.WithContext(context.Background()),
+		)
+		if err == nil {
+			return true
+		}
+
+		a.logger.Errorf("JWT validation failed for AzureAD v1.0 issuer")
+		return false
+
+	case eventGridIssuer:
+		// eventgrid managed identity issuer - use webhook URL as audience
+		_, err = jwt.ParseString(
+			token,
+			jwt.WithKeySet(a.jwks, jws.WithInferAlgorithmFromKey(true)),
+			jwt.WithAudience(a.metadata.SubscriberEndpoint),
+			jwt.WithIssuer(eventGridIssuer),
+			jwt.WithAcceptableSkew(5*time.Minute),
+			jwt.WithContext(context.Background()),
+		)
+		if err == nil {
+			return true
+		}
+
+		a.logger.Errorf("JWT validation failed for eventgrid issuer: %v", err)
+		return false
+
+	default:
+		a.logger.Errorf("Unexpected JWT issuer: %s. Expected either '%s', '%s', or '%s'",
+			actualIssuer, azureADV2Issuer, fmt.Sprintf(jwtIssuerV1Format, a.metadata.azureTenantID), eventGridIssuer)
+		return false
+	}
 }
 
 // Initializes the JWKS cache
@@ -284,10 +368,12 @@ func (a *AzureEventGrid) requestHandler(handler bindings.Handler) fasthttp.Reque
 			return
 		}
 
-		// Validate the Authorization header
-		authorizationHeader := string(ctx.Request.Header.Peek("authorization"))
-		// Note that ctx is a fasthttp context so it's actually tied to the server's lifecycle and not the request's
-		if !a.validateAuthHeader(ctx, authorizationHeader) {
+		// Options requests (webhook validation handshake) don't require authentication
+		// Azure Event Grid sends options requests without authorization header during initial validation
+		if method == http.MethodOptions {
+			// Skip authentication for options requests
+		} else if !a.validateAuthHeader(ctx) {
+			// Note that ctx is a fasthttp context so it's actually tied to the server's lifecycle and not the request's
 			ctx.Response.Header.SetStatusCode(http.StatusUnauthorized)
 			_, err = ctx.Response.BodyWriter().Write([]byte("401 Unauthorized"))
 			if err != nil {

conversation/echo/metadata.yaml

@@ -0,0 +1,11 @@
+# yaml-language-server: $schema=../../../component-metadata-schema.json
+schemaVersion: v1
+type: conversation
+name: echo
+version: v1
+status: alpha
+title: "Echo"
+urls:
+  - title: Reference
+    url: https://docs.dapr.io/reference/components-reference/supported-conversation/echo/
+metadata: []

crypto/kubernetes/secrets/component.go

@@ -123,7 +123,7 @@ func (k *kubeSecretsCrypto) retrieveKeyFromSecret(parentCtx context.Context, key
 // parseKeyString returns the secret name, key, and optional namespace from the key parameter.
 // If the key parameter doesn't contain a namespace, returns the default one.
 func (k *kubeSecretsCrypto) parseKeyString(param string) (namespace string, secret string, key string, err error) {
-	parts := strings.Split(key, "/")
+	parts := strings.Split(param, "/")
 	switch len(parts) {
 	case 3:
 		namespace = parts[0]

state/aerospike/aerospike.go

@@ -34,9 +34,9 @@ import (
 )
 
 type aerospikeMetadata struct {
-	Hosts     string
-	Namespace string
-	Set       string // optional
+	Hosts     string `json:"hosts"`
+	Namespace string `json:"namespace"`
+	Set       string `json:"set"` // optional
 }
 
 var (

state/aerospike/metadata.yaml

@@ -0,0 +1,26 @@
+# yaml-language-server: $schema=../../../component-metadata-schema.json
+schemaVersion: v1
+type: state
+name: aerospike
+version: v1
+status: alpha
+title: "Aerospike"
+urls:
+  - title: Reference
+    url: https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-aerospike/
+metadata:
+  - name: hosts
+    type: string
+    required: true
+    description: Comma-separated list of Aerospike hosts.
+    example: "localhost:3000,aerospike:3000"
+  - name: namespace
+    type: string
+    required: true
+    description: The Aerospike namespace.
+    example: "test"
+  - name: set
+    type: string
+    required: false
+    description: The Aerospike set name.
+    example: "dapr-state" 

state/alicloud/tablestore/metadata.yaml

@@ -0,0 +1,40 @@
+# yaml-language-server: $schema=../../../component-metadata-schema.json
+schemaVersion: v1
+type: state
+name: alicloud.tablestore
+version: v1
+status: alpha
+title: "AliCloud TableStore"
+urls:
+  - title: Reference
+    url: https://docs.dapr.io/reference/components-reference/supported-state-stores/
+authenticationProfiles:
+  - title: "Access Key Authentication"
+    description: "Authenticate using an access key"
+    metadata:
+      - name: accessKeyID
+        type: string
+        required: true
+        description: The access key ID of the AliCloud TableStore instance.
+        example: "my_access_key_id"
+      - name: accessKey
+        type: string
+        required: true
+        description: The access key of the AliCloud TableStore instance.
+        example: "my_access_key"
+metadata:
+  - name: endpoint
+    type: string
+    required: true
+    description: The endpoint of the AliCloud TableStore instance.
+    example: "https://tablestore.aliyuncs.com"
+  - name: instanceName
+    type: string
+    required: true
+    description: The name of the AliCloud TableStore instance.
+    example: "my_instance"
+  - name: tableName
+    type: string
+    required: true
+    description: The name of the table to use.
+    example: "my_table"

state/couchbase/couchbase.go

@@ -57,12 +57,12 @@ type Couchbase struct {
 }
 
 type couchbaseMetadata struct {
-	CouchbaseURL                  string
-	Username                      string
-	Password                      string
-	BucketName                    string
-	NumReplicasDurableReplication uint
-	NumReplicasDurablePersistence uint
+	CouchbaseURL                  string `json:"couchbaseURL"`
+	Username                      string `json:"username"`
+	Password                      string `json:"password"`
+	BucketName                    string `json:"bucketName"`
+	NumReplicasDurableReplication uint   `json:"numReplicasDurableReplication"`
+	NumReplicasDurablePersistence uint   `json:"numReplicasDurablePersistence"`
 }
 
 // NewCouchbaseStateStore returns a new couchbase state store.