feat: implement AAD authentication

DESCRIPTION

@@ -1,7 +1,8 @@
 Package: AzureCosmosR
 Title: Interface to the 'Azure Cosmos DB' 'NoSQL' Database Service
-Version: 1.0.0
+Version: 1.1.0
 Authors@R: c(
+    person("Nicolae", "Cudlenco", , "cudlenco.n@buchi.com", role=c("author", "contributor")),
     person("Hong", "Ooi", , "hongooi73@gmail.com", role=c("aut", "cre")),
     person("Andrew", "Liu", role="ctb", comment="Assistance with Cosmos DB"),
     person("Microsoft", role="cph")

R/endpoint.R

@@ -1,8 +1,8 @@
 #' Client endpoint for Azure Cosmos DB core API
 #'
 #' @param host For `cosmos_endpoint`, the host URL for the endpoint. Typically of the form `https://{account-name}.documents.azure.com:443/` (note the port number).
-#' @param key For `cosmos_endpoint`, a string containing the password for the endpoint. This can be either a master key or a resource token.
-#' @param key_type For `cosmos_endpoint`, the type of the key, either "master" or "resource".
+#' @param key For `cosmos_endpoint`, a string containing the password for the endpoint. This can be either a master key, a resource token, or an AAD token.
+#' @param key_type For `cosmos_endpoint`, the type of the key, either "master" or "resource" or "aad".
 #' @param api_version For `cosmos_endpoint`, the API version to use.
 #' @param endpoint For `call_cosmos_endpoint`, a Cosmos DB endpoint object, as returned by `cosmos_endpoint`.
 #' @param path For `call_cosmos_endpoint`, the path in the URL for the endpoint call.
@@ -52,7 +52,7 @@
 #' }
 #' @rdname cosmos_endpoint
 #' @export
-cosmos_endpoint <- function(host, key, key_type=c("master", "resource"),
+cosmos_endpoint <- function(host, key, key_type=c("master", "resource", "aad"),
                             api_version=getOption("azure_cosmosdb_api_version"))
 {
     obj <- list(
@@ -69,6 +69,8 @@ print.cosmos_endpoint <- function(x, ...)
 {
     cat("Cosmos DB SQL endpoint\n")
     cat("Host:", httr::build_url(x$host), "\n")
+    cat("Key type:", x$key$type, "\n")
+    cat("Api version:", x$api_version, "\n")
     invisible(x)
 }
 
@@ -129,6 +131,7 @@ do_request <- function(url, key, resource_type, resource_link, headers=list(), b
             resource_link,
             now
         )
+
         response <- tryCatch(httr::VERB(http_verb, url, do.call(httr::add_headers, headers),
                                         body=body, encode=encode, ...),
                              error=function(e) e)

R/sign_request.R

@@ -5,6 +5,9 @@ sign_sha256 <- function(string, key)
 
 sign_cosmos_request <- function(key, verb, resource_type, resource_link, date)
 {
+    if(key$type == "aad")
+        return(curl::curl_escape(sprintf("type=%s&ver=1.0&sig=%s", key$type, key$value)))
+
     if(key$type == "resource")
         return(curl::curl_escape(key$value))
 
@@ -20,6 +23,7 @@ sign_cosmos_request <- function(key, verb, resource_type, resource_link, date)
         sep="\n"
     )
     sig <- sign_sha256(string_to_sign, key$value)
+
     curl::curl_escape(sprintf("type=%s&ver=1.0&sig=%s", key$type, sig))
 }
 

README.md

@@ -14,6 +14,27 @@ The primary repo for this package is at https://github.com/Azure/AzureCosmosR; p
 
 ## SQL interface
 
+### AAD authentication
+
+According to the latest security guides for Azure Cosmos DB, role-based access control is suggested in favor over key-based and resource owner password credentials-based authentication: https://learn.microsoft.com/en-us/azure/cosmos-db/table/security/.
+
+Below, we provide an example of how AAD token-based authentication can be done.
+```r
+library(AzureAuth)
+library(AzureCosmosR)
+
+token <- AzureAuth::get_managed_token("https://cosmos.azure.com")
+endpoint <- AzureCosmosR::cosmos_endpoint("https://myaccount.documents.azure.com:443/", key = token, key_type = "aad")
+
+list_cosmos_databases(endpoint)
+
+db <- get_cosmos_database(endpoint, "mydatabase")
+
+#... other operations
+```
+
+### Key based authentication
+
 AzureCosmosR provides a suite of methods to work with databases, containers (tables) and documents (rows) using the SQL API.
 
 ```r