daviewales commented on issue #290: URL: https://github.com/apache/arrow-rs-object-store/issues/290#issuecomment-2800266889
Two thoughts: 1. Would you consider adding an option (`use_azure_cli_fallback`?) for the user to choose whether they want to fall back to Azure CLI? This allows a user to express the intention 'Use the first available credential, and if none are available, try Azure CLI.' The current `use_azure_cli` option does not support this, as enabling it skips searching other credentials. 2. The encrypted `~/.Azure/msal_token_cache.bin` used by more recent Azure CLI versions can be decrypted by any process running as the current user. For example, the following Python proof of concept successfully decrypts it: ``` python import sys from pathlib import Path import win32crypt # <-- requires pywin32: https://pypi.org/project/pywin32/ token_cache = Path("~/.Azure/msal_token_cache.bin").expanduser() with open(token_cache, 'rb') as file: decrypted_bytes = win32crypt.CryptUnprotectData(file.read())[1] print(decrypted_bytes.decode()) ``` The `CryptUnprotectData` function is available in the various win32 Rust crates: - [windows_sys](https://docs.rs/windows-sys/0.59.0/windows_sys/Win32/Security/Cryptography/fn.CryptUnprotectData.html) - [windows](https://microsoft.github.io/windows-docs-rs/doc/windows/Win32/Security/Cryptography/fn.CryptUnprotectData.html) - [winapi](https://docs.rs/winapi/0.3.9/winapi/um/dpapi/fn.CryptUnprotectData.html) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
