.travis, build: autodelete old unstable archives (#13867)

This commit adds a build step to travis to auto-delete unstable archives older than
14 days (our regular release schedule) from Azure via ci.go purge.

The commit also pulls in the latest Azure storage code, also switching over from
the old import path (github.com/Azure/azure-sdk-for-go) to the new split one
(github.com/Azure/azure-storage-go).

vendor/github.com/Azure/go-autorest/autorest/azure/async.go

@@ -0,0 +1,308 @@
+package azure
+
+import (
+	"bytes"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/Azure/go-autorest/autorest"
+	"github.com/Azure/go-autorest/autorest/date"
+)
+
+const (
+	headerAsyncOperation = "Azure-AsyncOperation"
+)
+
+const (
+	methodDelete = "DELETE"
+	methodPatch  = "PATCH"
+	methodPost   = "POST"
+	methodPut    = "PUT"
+	methodGet    = "GET"
+
+	operationInProgress string = "InProgress"
+	operationCanceled   string = "Canceled"
+	operationFailed     string = "Failed"
+	operationSucceeded  string = "Succeeded"
+)
+
+// DoPollForAsynchronous returns a SendDecorator that polls if the http.Response is for an Azure
+// long-running operation. It will delay between requests for the duration specified in the
+// RetryAfter header or, if the header is absent, the passed delay. Polling may be canceled by
+// closing the optional channel on the http.Request.
+func DoPollForAsynchronous(delay time.Duration) autorest.SendDecorator {
+	return func(s autorest.Sender) autorest.Sender {
+		return autorest.SenderFunc(func(r *http.Request) (resp *http.Response, err error) {
+			resp, err = s.Do(r)
+			if err != nil {
+				return resp, err
+			}
+			pollingCodes := []int{http.StatusAccepted, http.StatusCreated, http.StatusOK}
+			if !autorest.ResponseHasStatusCode(resp, pollingCodes...) {
+				return resp, nil
+			}
+
+			ps := pollingState{}
+			for err == nil {
+				err = updatePollingState(resp, &ps)
+				if err != nil {
+					break
+				}
+				if ps.hasTerminated() {
+					if !ps.hasSucceeded() {
+						err = ps
+					}
+					break
+				}
+
+				r, err = newPollingRequest(resp, ps)
+				if err != nil {
+					return resp, err
+				}
+
+				delay = autorest.GetRetryAfter(resp, delay)
+				resp, err = autorest.SendWithSender(s, r,
+					autorest.AfterDelay(delay))
+			}
+
+			return resp, err
+		})
+	}
+}
+
+func getAsyncOperation(resp *http.Response) string {
+	return resp.Header.Get(http.CanonicalHeaderKey(headerAsyncOperation))
+}
+
+func hasSucceeded(state string) bool {
+	return state == operationSucceeded
+}
+
+func hasTerminated(state string) bool {
+	switch state {
+	case operationCanceled, operationFailed, operationSucceeded:
+		return true
+	default:
+		return false
+	}
+}
+
+func hasFailed(state string) bool {
+	return state == operationFailed
+}
+
+type provisioningTracker interface {
+	state() string
+	hasSucceeded() bool
+	hasTerminated() bool
+}
+
+type operationResource struct {
+	// Note:
+	// 	The specification states services should return the "id" field. However some return it as
+	// 	"operationId".
+	ID              string                 `json:"id"`
+	OperationID     string                 `json:"operationId"`
+	Name            string                 `json:"name"`
+	Status          string                 `json:"status"`
+	Properties      map[string]interface{} `json:"properties"`
+	OperationError  ServiceError           `json:"error"`
+	StartTime       date.Time              `json:"startTime"`
+	EndTime         date.Time              `json:"endTime"`
+	PercentComplete float64                `json:"percentComplete"`
+}
+
+func (or operationResource) state() string {
+	return or.Status
+}
+
+func (or operationResource) hasSucceeded() bool {
+	return hasSucceeded(or.state())
+}
+
+func (or operationResource) hasTerminated() bool {
+	return hasTerminated(or.state())
+}
+
+type provisioningProperties struct {
+	ProvisioningState string `json:"provisioningState"`
+}
+
+type provisioningStatus struct {
+	Properties        provisioningProperties `json:"properties,omitempty"`
+	ProvisioningError ServiceError           `json:"error,omitempty"`
+}
+
+func (ps provisioningStatus) state() string {
+	return ps.Properties.ProvisioningState
+}
+
+func (ps provisioningStatus) hasSucceeded() bool {
+	return hasSucceeded(ps.state())
+}
+
+func (ps provisioningStatus) hasTerminated() bool {
+	return hasTerminated(ps.state())
+}
+
+func (ps provisioningStatus) hasProvisioningError() bool {
+	return ps.ProvisioningError != ServiceError{}
+}
+
+type pollingResponseFormat string
+
+const (
+	usesOperationResponse  pollingResponseFormat = "OperationResponse"
+	usesProvisioningStatus pollingResponseFormat = "ProvisioningStatus"
+	formatIsUnknown        pollingResponseFormat = ""
+)
+
+type pollingState struct {
+	responseFormat pollingResponseFormat
+	uri            string
+	state          string
+	code           string
+	message        string
+}
+
+func (ps pollingState) hasSucceeded() bool {
+	return hasSucceeded(ps.state)
+}
+
+func (ps pollingState) hasTerminated() bool {
+	return hasTerminated(ps.state)
+}
+
+func (ps pollingState) hasFailed() bool {
+	return hasFailed(ps.state)
+}
+
+func (ps pollingState) Error() string {
+	return fmt.Sprintf("Long running operation terminated with status '%s': Code=%q Message=%q", ps.state, ps.code, ps.message)
+}
+
+//	updatePollingState maps the operation status -- retrieved from either a provisioningState
+// 	field, the status field of an OperationResource, or inferred from the HTTP status code --
+// 	into a well-known states. Since the process begins from the initial request, the state
+//	always comes from either a the provisioningState returned or is inferred from the HTTP
+//	status code. Subsequent requests will read an Azure OperationResource object if the
+//	service initially returned the Azure-AsyncOperation header. The responseFormat field notes
+//	the expected response format.
+func updatePollingState(resp *http.Response, ps *pollingState) error {
+	// Determine the response shape
+	// -- The first response will always be a provisioningStatus response; only the polling requests,
+	//    depending on the header returned, may be something otherwise.
+	var pt provisioningTracker
+	if ps.responseFormat == usesOperationResponse {
+		pt = &operationResource{}
+	} else {
+		pt = &provisioningStatus{}
+	}
+
+	// If this is the first request (that is, the polling response shape is unknown), determine how
+	// to poll and what to expect
+	if ps.responseFormat == formatIsUnknown {
+		req := resp.Request
+		if req == nil {
+			return autorest.NewError("azure", "updatePollingState", "Azure Polling Error - Original HTTP request is missing")
+		}
+
+		// Prefer the Azure-AsyncOperation header
+		ps.uri = getAsyncOperation(resp)
+		if ps.uri != "" {
+			ps.responseFormat = usesOperationResponse
+		} else {
+			ps.responseFormat = usesProvisioningStatus
+		}
+
+		// Else, use the Location header
+		if ps.uri == "" {
+			ps.uri = autorest.GetLocation(resp)
+		}
+
+		// Lastly, requests against an existing resource, use the last request URI
+		if ps.uri == "" {
+			m := strings.ToUpper(req.Method)
+			if m == methodPatch || m == methodPut || m == methodGet {
+				ps.uri = req.URL.String()
+			}
+		}
+	}
+
+	// Read and interpret the response (saving the Body in case no polling is necessary)
+	b := &bytes.Buffer{}
+	err := autorest.Respond(resp,
+		autorest.ByCopying(b),
+		autorest.ByUnmarshallingJSON(pt),
+		autorest.ByClosing())
+	resp.Body = ioutil.NopCloser(b)
+	if err != nil {
+		return err
+	}
+
+	// Interpret the results
+	// -- Terminal states apply regardless
+	// -- Unknown states are per-service inprogress states
+	// -- Otherwise, infer state from HTTP status code
+	if pt.hasTerminated() {
+		ps.state = pt.state()
+	} else if pt.state() != "" {
+		ps.state = operationInProgress
+	} else {
+		switch resp.StatusCode {
+		case http.StatusAccepted:
+			ps.state = operationInProgress
+
+		case http.StatusNoContent, http.StatusCreated, http.StatusOK:
+			ps.state = operationSucceeded
+
+		default:
+			ps.state = operationFailed
+		}
+	}
+
+	if ps.state == operationInProgress && ps.uri == "" {
+		return autorest.NewError("azure", "updatePollingState", "Azure Polling Error - Unable to obtain polling URI for %s %s", resp.Request.Method, resp.Request.URL)
+	}
+
+	// For failed operation, check for error code and message in
+	// -- Operation resource
+	// -- Response
+	// -- Otherwise, Unknown
+	if ps.hasFailed() {
+		if ps.responseFormat == usesOperationResponse {
+			or := pt.(*operationResource)
+			ps.code = or.OperationError.Code
+			ps.message = or.OperationError.Message
+		} else {
+			p := pt.(*provisioningStatus)
+			if p.hasProvisioningError() {
+				ps.code = p.ProvisioningError.Code
+				ps.message = p.ProvisioningError.Message
+			} else {
+				ps.code = "Unknown"
+				ps.message = "None"
+			}
+		}
+	}
+	return nil
+}
+
+func newPollingRequest(resp *http.Response, ps pollingState) (*http.Request, error) {
+	req := resp.Request
+	if req == nil {
+		return nil, autorest.NewError("azure", "newPollingRequest", "Azure Polling Error - Original HTTP request is missing")
+	}
+
+	reqPoll, err := autorest.Prepare(&http.Request{Cancel: req.Cancel},
+		autorest.AsGet(),
+		autorest.WithBaseURL(ps.uri))
+	if err != nil {
+		return nil, autorest.NewErrorWithError(err, "azure", "newPollingRequest", nil, "Failure creating poll request to %s", ps.uri)
+	}
+
+	return reqPoll, nil
+}

vendor/github.com/Azure/go-autorest/autorest/azure/azure.go

@@ -0,0 +1,180 @@
+/*
+Package azure provides Azure-specific implementations used with AutoRest.
+
+See the included examples for more detail.
+*/
+package azure
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strconv"
+
+	"github.com/Azure/go-autorest/autorest"
+)
+
+const (
+	// HeaderClientID is the Azure extension header to set a user-specified request ID.
+	HeaderClientID = "x-ms-client-request-id"
+
+	// HeaderReturnClientID is the Azure extension header to set if the user-specified request ID
+	// should be included in the response.
+	HeaderReturnClientID = "x-ms-return-client-request-id"
+
+	// HeaderRequestID is the Azure extension header of the service generated request ID returned
+	// in the response.
+	HeaderRequestID = "x-ms-request-id"
+)
+
+// ServiceError encapsulates the error response from an Azure service.
+type ServiceError struct {
+	Code    string         `json:"code"`
+	Message string         `json:"message"`
+	Details *[]interface{} `json:"details"`
+}
+
+func (se ServiceError) Error() string {
+	if se.Details != nil {
+		d, err := json.Marshal(*(se.Details))
+		if err != nil {
+			return fmt.Sprintf("Code=%q Message=%q Details=%v", se.Code, se.Message, *se.Details)
+		}
+		return fmt.Sprintf("Code=%q Message=%q Details=%v", se.Code, se.Message, string(d))
+	}
+	return fmt.Sprintf("Code=%q Message=%q", se.Code, se.Message)
+}
+
+// RequestError describes an error response returned by Azure service.
+type RequestError struct {
+	autorest.DetailedError
+
+	// The error returned by the Azure service.
+	ServiceError *ServiceError `json:"error"`
+
+	// The request id (from the x-ms-request-id-header) of the request.
+	RequestID string
+}
+
+// Error returns a human-friendly error message from service error.
+func (e RequestError) Error() string {
+	return fmt.Sprintf("autorest/azure: Service returned an error. Status=%v %v",
+		e.StatusCode, e.ServiceError)
+}
+
+// IsAzureError returns true if the passed error is an Azure Service error; false otherwise.
+func IsAzureError(e error) bool {
+	_, ok := e.(*RequestError)
+	return ok
+}
+
+// NewErrorWithError creates a new Error conforming object from the
+// passed packageType, method, statusCode of the given resp (UndefinedStatusCode
+// if resp is nil), message, and original error. message is treated as a format
+// string to which the optional args apply.
+func NewErrorWithError(original error, packageType string, method string, resp *http.Response, message string, args ...interface{}) RequestError {
+	if v, ok := original.(*RequestError); ok {
+		return *v
+	}
+
+	statusCode := autorest.UndefinedStatusCode
+	if resp != nil {
+		statusCode = resp.StatusCode
+	}
+	return RequestError{
+		DetailedError: autorest.DetailedError{
+			Original:    original,
+			PackageType: packageType,
+			Method:      method,
+			StatusCode:  statusCode,
+			Message:     fmt.Sprintf(message, args...),
+		},
+	}
+}
+
+// WithReturningClientID returns a PrepareDecorator that adds an HTTP extension header of
+// x-ms-client-request-id whose value is the passed, undecorated UUID (e.g.,
+// "0F39878C-5F76-4DB8-A25D-61D2C193C3CA"). It also sets the x-ms-return-client-request-id
+// header to true such that UUID accompanies the http.Response.
+func WithReturningClientID(uuid string) autorest.PrepareDecorator {
+	preparer := autorest.CreatePreparer(
+		WithClientID(uuid),
+		WithReturnClientID(true))
+
+	return func(p autorest.Preparer) autorest.Preparer {
+		return autorest.PreparerFunc(func(r *http.Request) (*http.Request, error) {
+			r, err := p.Prepare(r)
+			if err != nil {
+				return r, err
+			}
+			return preparer.Prepare(r)
+		})
+	}
+}
+
+// WithClientID returns a PrepareDecorator that adds an HTTP extension header of
+// x-ms-client-request-id whose value is passed, undecorated UUID (e.g.,
+// "0F39878C-5F76-4DB8-A25D-61D2C193C3CA").
+func WithClientID(uuid string) autorest.PrepareDecorator {
+	return autorest.WithHeader(HeaderClientID, uuid)
+}
+
+// WithReturnClientID returns a PrepareDecorator that adds an HTTP extension header of
+// x-ms-return-client-request-id whose boolean value indicates if the value of the
+// x-ms-client-request-id header should be included in the http.Response.
+func WithReturnClientID(b bool) autorest.PrepareDecorator {
+	return autorest.WithHeader(HeaderReturnClientID, strconv.FormatBool(b))
+}
+
+// ExtractClientID extracts the client identifier from the x-ms-client-request-id header set on the
+// http.Request sent to the service (and returned in the http.Response)
+func ExtractClientID(resp *http.Response) string {
+	return autorest.ExtractHeaderValue(HeaderClientID, resp)
+}
+
+// ExtractRequestID extracts the Azure server generated request identifier from the
+// x-ms-request-id header.
+func ExtractRequestID(resp *http.Response) string {
+	return autorest.ExtractHeaderValue(HeaderRequestID, resp)
+}
+
+// WithErrorUnlessStatusCode returns a RespondDecorator that emits an
+// azure.RequestError by reading the response body unless the response HTTP status code
+// is among the set passed.
+//
+// If there is a chance service may return responses other than the Azure error
+// format and the response cannot be parsed into an error, a decoding error will
+// be returned containing the response body. In any case, the Responder will
+// return an error if the status code is not satisfied.
+//
+// If this Responder returns an error, the response body will be replaced with
+// an in-memory reader, which needs no further closing.
+func WithErrorUnlessStatusCode(codes ...int) autorest.RespondDecorator {
+	return func(r autorest.Responder) autorest.Responder {
+		return autorest.ResponderFunc(func(resp *http.Response) error {
+			err := r.Respond(resp)
+			if err == nil && !autorest.ResponseHasStatusCode(resp, codes...) {
+				var e RequestError
+				defer resp.Body.Close()
+
+				// Copy and replace the Body in case it does not contain an error object.
+				// This will leave the Body available to the caller.
+				b, decodeErr := autorest.CopyAndDecode(autorest.EncodedAsJSON, resp.Body, &e)
+				resp.Body = ioutil.NopCloser(&b)
+				if decodeErr != nil {
+					return fmt.Errorf("autorest/azure: error response cannot be parsed: %q error: %v", b.String(), decodeErr)
+				} else if e.ServiceError == nil {
+					e.ServiceError = &ServiceError{Code: "Unknown", Message: "Unknown service error"}
+				}
+
+				e.RequestID = ExtractRequestID(resp)
+				if e.StatusCode == nil {
+					e.StatusCode = resp.StatusCode
+				}
+				err = &e
+			}
+			return err
+		})
+	}
+}

vendor/github.com/Azure/go-autorest/autorest/azure/config.go

@@ -0,0 +1,13 @@
+package azure
+
+import (
+	"net/url"
+)
+
+// OAuthConfig represents the endpoints needed
+// in OAuth operations
+type OAuthConfig struct {
+	AuthorizeEndpoint  url.URL
+	TokenEndpoint      url.URL
+	DeviceCodeEndpoint url.URL
+}

vendor/github.com/Azure/go-autorest/autorest/azure/devicetoken.go

@@ -0,0 +1,193 @@
+package azure
+
+/*
+  This file is largely based on rjw57/oauth2device's code, with the follow differences:
+   * scope -> resource, and only allow a single one
+   * receive "Message" in the DeviceCode struct and show it to users as the prompt
+   * azure-xplat-cli has the following behavior that this emulates:
+     - does not send client_secret during the token exchange
+     - sends resource again in the token exchange request
+*/
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+	"time"
+
+	"github.com/Azure/go-autorest/autorest"
+)
+
+const (
+	logPrefix = "autorest/azure/devicetoken:"
+)
+
+var (
+	// ErrDeviceGeneric represents an unknown error from the token endpoint when using device flow
+	ErrDeviceGeneric = fmt.Errorf("%s Error while retrieving OAuth token: Unknown Error", logPrefix)
+
+	// ErrDeviceAccessDenied represents an access denied error from the token endpoint when using device flow
+	ErrDeviceAccessDenied = fmt.Errorf("%s Error while retrieving OAuth token: Access Denied", logPrefix)
+
+	// ErrDeviceAuthorizationPending represents the server waiting on the user to complete the device flow
+	ErrDeviceAuthorizationPending = fmt.Errorf("%s Error while retrieving OAuth token: Authorization Pending", logPrefix)
+
+	// ErrDeviceCodeExpired represents the server timing out and expiring the code during device flow
+	ErrDeviceCodeExpired = fmt.Errorf("%s Error while retrieving OAuth token: Code Expired", logPrefix)
+
+	// ErrDeviceSlowDown represents the service telling us we're polling too often during device flow
+	ErrDeviceSlowDown = fmt.Errorf("%s Error while retrieving OAuth token: Slow Down", logPrefix)
+
+	errCodeSendingFails   = "Error occurred while sending request for Device Authorization Code"
+	errCodeHandlingFails  = "Error occurred while handling response from the Device Endpoint"
+	errTokenSendingFails  = "Error occurred while sending request with device code for a token"
+	errTokenHandlingFails = "Error occurred while handling response from the Token Endpoint (during device flow)"
+)
+
+// DeviceCode is the object returned by the device auth endpoint
+// It contains information to instruct the user to complete the auth flow
+type DeviceCode struct {
+	DeviceCode      *string `json:"device_code,omitempty"`
+	UserCode        *string `json:"user_code,omitempty"`
+	VerificationURL *string `json:"verification_url,omitempty"`
+	ExpiresIn       *int64  `json:"expires_in,string,omitempty"`
+	Interval        *int64  `json:"interval,string,omitempty"`
+
+	Message     *string `json:"message"` // Azure specific
+	Resource    string  // store the following, stored when initiating, used when exchanging
+	OAuthConfig OAuthConfig
+	ClientID    string
+}
+
+// TokenError is the object returned by the token exchange endpoint
+// when something is amiss
+type TokenError struct {
+	Error            *string `json:"error,omitempty"`
+	ErrorCodes       []int   `json:"error_codes,omitempty"`
+	ErrorDescription *string `json:"error_description,omitempty"`
+	Timestamp        *string `json:"timestamp,omitempty"`
+	TraceID          *string `json:"trace_id,omitempty"`
+}
+
+// DeviceToken is the object return by the token exchange endpoint
+// It can either look like a Token or an ErrorToken, so put both here
+// and check for presence of "Error" to know if we are in error state
+type deviceToken struct {
+	Token
+	TokenError
+}
+
+// InitiateDeviceAuth initiates a device auth flow. It returns a DeviceCode
+// that can be used with CheckForUserCompletion or WaitForUserCompletion.
+func InitiateDeviceAuth(client *autorest.Client, oauthConfig OAuthConfig, clientID, resource string) (*DeviceCode, error) {
+	req, _ := autorest.Prepare(
+		&http.Request{},
+		autorest.AsPost(),
+		autorest.AsFormURLEncoded(),
+		autorest.WithBaseURL(oauthConfig.DeviceCodeEndpoint.String()),
+		autorest.WithFormData(url.Values{
+			"client_id": []string{clientID},
+			"resource":  []string{resource},
+		}),
+	)
+
+	resp, err := autorest.SendWithSender(client, req)
+	if err != nil {
+		return nil, fmt.Errorf("%s %s: %s", logPrefix, errCodeSendingFails, err)
+	}
+
+	var code DeviceCode
+	err = autorest.Respond(
+		resp,
+		autorest.WithErrorUnlessStatusCode(http.StatusOK),
+		autorest.ByUnmarshallingJSON(&code),
+		autorest.ByClosing())
+	if err != nil {
+		return nil, fmt.Errorf("%s %s: %s", logPrefix, errCodeHandlingFails, err)
+	}
+
+	code.ClientID = clientID
+	code.Resource = resource
+	code.OAuthConfig = oauthConfig
+
+	return &code, nil
+}
+
+// CheckForUserCompletion takes a DeviceCode and checks with the Azure AD OAuth endpoint
+// to see if the device flow has: been completed, timed out, or otherwise failed
+func CheckForUserCompletion(client *autorest.Client, code *DeviceCode) (*Token, error) {
+	req, _ := autorest.Prepare(
+		&http.Request{},
+		autorest.AsPost(),
+		autorest.AsFormURLEncoded(),
+		autorest.WithBaseURL(code.OAuthConfig.TokenEndpoint.String()),
+		autorest.WithFormData(url.Values{
+			"client_id":  []string{code.ClientID},
+			"code":       []string{*code.DeviceCode},
+			"grant_type": []string{OAuthGrantTypeDeviceCode},
+			"resource":   []string{code.Resource},
+		}),
+	)
+
+	resp, err := autorest.SendWithSender(client, req)
+	if err != nil {
+		return nil, fmt.Errorf("%s %s: %s", logPrefix, errTokenSendingFails, err)
+	}
+
+	var token deviceToken
+	err = autorest.Respond(
+		resp,
+		autorest.WithErrorUnlessStatusCode(http.StatusOK, http.StatusBadRequest),
+		autorest.ByUnmarshallingJSON(&token),
+		autorest.ByClosing())
+	if err != nil {
+		return nil, fmt.Errorf("%s %s: %s", logPrefix, errTokenHandlingFails, err)
+	}
+
+	if token.Error == nil {
+		return &token.Token, nil
+	}
+
+	switch *token.Error {
+	case "authorization_pending":
+		return nil, ErrDeviceAuthorizationPending
+	case "slow_down":
+		return nil, ErrDeviceSlowDown
+	case "access_denied":
+		return nil, ErrDeviceAccessDenied
+	case "code_expired":
+		return nil, ErrDeviceCodeExpired
+	default:
+		return nil, ErrDeviceGeneric
+	}
+}
+
+// WaitForUserCompletion calls CheckForUserCompletion repeatedly until a token is granted or an error state occurs.
+// This prevents the user from looping and checking against 'ErrDeviceAuthorizationPending'.
+func WaitForUserCompletion(client *autorest.Client, code *DeviceCode) (*Token, error) {
+	intervalDuration := time.Duration(*code.Interval) * time.Second
+	waitDuration := intervalDuration
+
+	for {
+		token, err := CheckForUserCompletion(client, code)
+
+		if err == nil {
+			return token, nil
+		}
+
+		switch err {
+		case ErrDeviceSlowDown:
+			waitDuration += waitDuration
+		case ErrDeviceAuthorizationPending:
+			// noop
+		default: // everything else is "fatal" to us
+			return nil, err
+		}
+
+		if waitDuration > (intervalDuration * 3) {
+			return nil, fmt.Errorf("%s Error waiting for user to complete device flow. Server told us to slow_down too much", logPrefix)
+		}
+
+		time.Sleep(waitDuration)
+	}
+}

vendor/github.com/Azure/go-autorest/autorest/azure/environments.go

@@ -0,0 +1,167 @@
+package azure
+
+import (
+	"fmt"
+	"net/url"
+	"strings"
+)
+
+const (
+	activeDirectoryAPIVersion = "1.0"
+)
+
+var environments = map[string]Environment{
+	"AZURECHINACLOUD":        ChinaCloud,
+	"AZUREGERMANCLOUD":       GermanCloud,
+	"AZUREPUBLICCLOUD":       PublicCloud,
+	"AZUREUSGOVERNMENTCLOUD": USGovernmentCloud,
+}
+
+// Environment represents a set of endpoints for each of Azure's Clouds.
+type Environment struct {
+	Name                         string `json:"name"`
+	ManagementPortalURL          string `json:"managementPortalURL"`
+	PublishSettingsURL           string `json:"publishSettingsURL"`
+	ServiceManagementEndpoint    string `json:"serviceManagementEndpoint"`
+	ResourceManagerEndpoint      string `json:"resourceManagerEndpoint"`
+	ActiveDirectoryEndpoint      string `json:"activeDirectoryEndpoint"`
+	GalleryEndpoint              string `json:"galleryEndpoint"`
+	KeyVaultEndpoint             string `json:"keyVaultEndpoint"`
+	GraphEndpoint                string `json:"graphEndpoint"`
+	StorageEndpointSuffix        string `json:"storageEndpointSuffix"`
+	SQLDatabaseDNSSuffix         string `json:"sqlDatabaseDNSSuffix"`
+	TrafficManagerDNSSuffix      string `json:"trafficManagerDNSSuffix"`
+	KeyVaultDNSSuffix            string `json:"keyVaultDNSSuffix"`
+	ServiceBusEndpointSuffix     string `json:"serviceBusEndpointSuffix"`
+	ServiceManagementVMDNSSuffix string `json:"serviceManagementVMDNSSuffix"`
+	ResourceManagerVMDNSSuffix   string `json:"resourceManagerVMDNSSuffix"`
+	ContainerRegistryDNSSuffix   string `json:"containerRegistryDNSSuffix"`
+}
+
+var (
+	// PublicCloud is the default public Azure cloud environment
+	PublicCloud = Environment{
+		Name:                         "AzurePublicCloud",
+		ManagementPortalURL:          "https://manage.windowsazure.com/",
+		PublishSettingsURL:           "https://manage.windowsazure.com/publishsettings/index",
+		ServiceManagementEndpoint:    "https://management.core.windows.net/",
+		ResourceManagerEndpoint:      "https://management.azure.com/",
+		ActiveDirectoryEndpoint:      "https://login.microsoftonline.com/",
+		GalleryEndpoint:              "https://gallery.azure.com/",
+		KeyVaultEndpoint:             "https://vault.azure.net/",
+		GraphEndpoint:                "https://graph.windows.net/",
+		StorageEndpointSuffix:        "core.windows.net",
+		SQLDatabaseDNSSuffix:         "database.windows.net",
+		TrafficManagerDNSSuffix:      "trafficmanager.net",
+		KeyVaultDNSSuffix:            "vault.azure.net",
+		ServiceBusEndpointSuffix:     "servicebus.azure.com",
+		ServiceManagementVMDNSSuffix: "cloudapp.net",
+		ResourceManagerVMDNSSuffix:   "cloudapp.azure.com",
+		ContainerRegistryDNSSuffix:   "azurecr.io",
+	}
+
+	// USGovernmentCloud is the cloud environment for the US Government
+	USGovernmentCloud = Environment{
+		Name:                         "AzureUSGovernmentCloud",
+		ManagementPortalURL:          "https://manage.windowsazure.us/",
+		PublishSettingsURL:           "https://manage.windowsazure.us/publishsettings/index",
+		ServiceManagementEndpoint:    "https://management.core.usgovcloudapi.net/",
+		ResourceManagerEndpoint:      "https://management.usgovcloudapi.net/",
+		ActiveDirectoryEndpoint:      "https://login.microsoftonline.com/",
+		GalleryEndpoint:              "https://gallery.usgovcloudapi.net/",
+		KeyVaultEndpoint:             "https://vault.usgovcloudapi.net/",
+		GraphEndpoint:                "https://graph.usgovcloudapi.net/",
+		StorageEndpointSuffix:        "core.usgovcloudapi.net",
+		SQLDatabaseDNSSuffix:         "database.usgovcloudapi.net",
+		TrafficManagerDNSSuffix:      "usgovtrafficmanager.net",
+		KeyVaultDNSSuffix:            "vault.usgovcloudapi.net",
+		ServiceBusEndpointSuffix:     "servicebus.usgovcloudapi.net",
+		ServiceManagementVMDNSSuffix: "usgovcloudapp.net",
+		ResourceManagerVMDNSSuffix:   "cloudapp.windowsazure.us",
+		ContainerRegistryDNSSuffix:   "azurecr.io",
+	}
+
+	// ChinaCloud is the cloud environment operated in China
+	ChinaCloud = Environment{
+		Name:                         "AzureChinaCloud",
+		ManagementPortalURL:          "https://manage.chinacloudapi.com/",
+		PublishSettingsURL:           "https://manage.chinacloudapi.com/publishsettings/index",
+		ServiceManagementEndpoint:    "https://management.core.chinacloudapi.cn/",
+		ResourceManagerEndpoint:      "https://management.chinacloudapi.cn/",
+		ActiveDirectoryEndpoint:      "https://login.chinacloudapi.cn/",
+		GalleryEndpoint:              "https://gallery.chinacloudapi.cn/",
+		KeyVaultEndpoint:             "https://vault.azure.cn/",
+		GraphEndpoint:                "https://graph.chinacloudapi.cn/",
+		StorageEndpointSuffix:        "core.chinacloudapi.cn",
+		SQLDatabaseDNSSuffix:         "database.chinacloudapi.cn",
+		TrafficManagerDNSSuffix:      "trafficmanager.cn",
+		KeyVaultDNSSuffix:            "vault.azure.cn",
+		ServiceBusEndpointSuffix:     "servicebus.chinacloudapi.net",
+		ServiceManagementVMDNSSuffix: "chinacloudapp.cn",
+		ResourceManagerVMDNSSuffix:   "cloudapp.azure.cn",
+		ContainerRegistryDNSSuffix:   "azurecr.io",
+	}
+
+	// GermanCloud is the cloud environment operated in Germany
+	GermanCloud = Environment{
+		Name:                         "AzureGermanCloud",
+		ManagementPortalURL:          "http://portal.microsoftazure.de/",
+		PublishSettingsURL:           "https://manage.microsoftazure.de/publishsettings/index",
+		ServiceManagementEndpoint:    "https://management.core.cloudapi.de/",
+		ResourceManagerEndpoint:      "https://management.microsoftazure.de/",
+		ActiveDirectoryEndpoint:      "https://login.microsoftonline.de/",
+		GalleryEndpoint:              "https://gallery.cloudapi.de/",
+		KeyVaultEndpoint:             "https://vault.microsoftazure.de/",
+		GraphEndpoint:                "https://graph.cloudapi.de/",
+		StorageEndpointSuffix:        "core.cloudapi.de",
+		SQLDatabaseDNSSuffix:         "database.cloudapi.de",
+		TrafficManagerDNSSuffix:      "azuretrafficmanager.de",
+		KeyVaultDNSSuffix:            "vault.microsoftazure.de",
+		ServiceBusEndpointSuffix:     "servicebus.cloudapi.de",
+		ServiceManagementVMDNSSuffix: "azurecloudapp.de",
+		ResourceManagerVMDNSSuffix:   "cloudapp.microsoftazure.de",
+		ContainerRegistryDNSSuffix:   "azurecr.io",
+	}
+)
+
+// EnvironmentFromName returns an Environment based on the common name specified
+func EnvironmentFromName(name string) (Environment, error) {
+	name = strings.ToUpper(name)
+	env, ok := environments[name]
+	if !ok {
+		return env, fmt.Errorf("autorest/azure: There is no cloud environment matching the name %q", name)
+	}
+	return env, nil
+}
+
+// OAuthConfigForTenant returns an OAuthConfig with tenant specific urls
+func (env Environment) OAuthConfigForTenant(tenantID string) (*OAuthConfig, error) {
+	return OAuthConfigForTenant(env.ActiveDirectoryEndpoint, tenantID)
+}
+
+// OAuthConfigForTenant returns an OAuthConfig with tenant specific urls for target cloud auth endpoint
+func OAuthConfigForTenant(activeDirectoryEndpoint, tenantID string) (*OAuthConfig, error) {
+	template := "%s/oauth2/%s?api-version=%s"
+	u, err := url.Parse(activeDirectoryEndpoint)
+	if err != nil {
+		return nil, err
+	}
+	authorizeURL, err := u.Parse(fmt.Sprintf(template, tenantID, "authorize", activeDirectoryAPIVersion))
+	if err != nil {
+		return nil, err
+	}
+	tokenURL, err := u.Parse(fmt.Sprintf(template, tenantID, "token", activeDirectoryAPIVersion))
+	if err != nil {
+		return nil, err
+	}
+	deviceCodeURL, err := u.Parse(fmt.Sprintf(template, tenantID, "devicecode", activeDirectoryAPIVersion))
+	if err != nil {
+		return nil, err
+	}
+
+	return &OAuthConfig{
+		AuthorizeEndpoint:  *authorizeURL,
+		TokenEndpoint:      *tokenURL,
+		DeviceCodeEndpoint: *deviceCodeURL,
+	}, nil
+}

vendor/github.com/Azure/go-autorest/autorest/azure/persist.go

@@ -0,0 +1,59 @@
+package azure
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"path/filepath"
+)
+
+// LoadToken restores a Token object from a file located at 'path'.
+func LoadToken(path string) (*Token, error) {
+	file, err := os.Open(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open file (%s) while loading token: %v", path, err)
+	}
+	defer file.Close()
+
+	var token Token
+
+	dec := json.NewDecoder(file)
+	if err = dec.Decode(&token); err != nil {
+		return nil, fmt.Errorf("failed to decode contents of file (%s) into Token representation: %v", path, err)
+	}
+	return &token, nil
+}
+
+// SaveToken persists an oauth token at the given location on disk.
+// It moves the new file into place so it can safely be used to replace an existing file
+// that maybe accessed by multiple processes.
+func SaveToken(path string, mode os.FileMode, token Token) error {
+	dir := filepath.Dir(path)
+	err := os.MkdirAll(dir, os.ModePerm)
+	if err != nil {
+		return fmt.Errorf("failed to create directory (%s) to store token in: %v", dir, err)
+	}
+
+	newFile, err := ioutil.TempFile(dir, "token")
+	if err != nil {
+		return fmt.Errorf("failed to create the temp file to write the token: %v", err)
+	}
+	tempPath := newFile.Name()
+
+	if err := json.NewEncoder(newFile).Encode(token); err != nil {
+		return fmt.Errorf("failed to encode token to file (%s) while saving token: %v", tempPath, err)
+	}
+	if err := newFile.Close(); err != nil {
+		return fmt.Errorf("failed to close temp file %s: %v", tempPath, err)
+	}
+
+	// Atomic replace to avoid multi-writer file corruptions
+	if err := os.Rename(tempPath, path); err != nil {
+		return fmt.Errorf("failed to move temporary token to desired output location. src=%s dst=%s: %v", tempPath, path, err)
+	}
+	if err := os.Chmod(path, mode); err != nil {
+		return fmt.Errorf("failed to chmod the token file %s: %v", path, err)
+	}
+	return nil
+}

vendor/github.com/Azure/go-autorest/autorest/azure/token.go

@@ -0,0 +1,363 @@
+package azure
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/x509"
+	"encoding/base64"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strconv"
+	"time"
+
+	"github.com/Azure/go-autorest/autorest"
+	"github.com/dgrijalva/jwt-go"
+)
+
+const (
+	defaultRefresh = 5 * time.Minute
+	tokenBaseDate  = "1970-01-01T00:00:00Z"
+
+	// OAuthGrantTypeDeviceCode is the "grant_type" identifier used in device flow
+	OAuthGrantTypeDeviceCode = "device_code"
+
+	// OAuthGrantTypeClientCredentials is the "grant_type" identifier used in credential flows
+	OAuthGrantTypeClientCredentials = "client_credentials"
+
+	// OAuthGrantTypeRefreshToken is the "grant_type" identifier used in refresh token flows
+	OAuthGrantTypeRefreshToken = "refresh_token"
+)
+
+var expirationBase time.Time
+
+func init() {
+	expirationBase, _ = time.Parse(time.RFC3339, tokenBaseDate)
+}
+
+// TokenRefreshCallback is the type representing callbacks that will be called after
+// a successful token refresh
+type TokenRefreshCallback func(Token) error
+
+// Token encapsulates the access token used to authorize Azure requests.
+type Token struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+
+	ExpiresIn string `json:"expires_in"`
+	ExpiresOn string `json:"expires_on"`
+	NotBefore string `json:"not_before"`
+
+	Resource string `json:"resource"`
+	Type     string `json:"token_type"`
+}
+
+// Expires returns the time.Time when the Token expires.
+func (t Token) Expires() time.Time {
+	s, err := strconv.Atoi(t.ExpiresOn)
+	if err != nil {
+		s = -3600
+	}
+	return expirationBase.Add(time.Duration(s) * time.Second).UTC()
+}
+
+// IsExpired returns true if the Token is expired, false otherwise.
+func (t Token) IsExpired() bool {
+	return t.WillExpireIn(0)
+}
+
+// WillExpireIn returns true if the Token will expire after the passed time.Duration interval
+// from now, false otherwise.
+func (t Token) WillExpireIn(d time.Duration) bool {
+	return !t.Expires().After(time.Now().Add(d))
+}
+
+// WithAuthorization returns a PrepareDecorator that adds an HTTP Authorization header whose
+// value is "Bearer " followed by the AccessToken of the Token.
+func (t *Token) WithAuthorization() autorest.PrepareDecorator {
+	return func(p autorest.Preparer) autorest.Preparer {
+		return autorest.PreparerFunc(func(r *http.Request) (*http.Request, error) {
+			return (autorest.WithBearerAuthorization(t.AccessToken)(p)).Prepare(r)
+		})
+	}
+}
+
+// ServicePrincipalNoSecret represents a secret type that contains no secret
+// meaning it is not valid for fetching a fresh token. This is used by Manual
+type ServicePrincipalNoSecret struct {
+}
+
+// SetAuthenticationValues is a method of the interface ServicePrincipalSecret
+// It only returns an error for the ServicePrincipalNoSecret type
+func (noSecret *ServicePrincipalNoSecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error {
+	return fmt.Errorf("Manually created ServicePrincipalToken does not contain secret material to retrieve a new access token")
+}
+
+// ServicePrincipalSecret is an interface that allows various secret mechanism to fill the form
+// that is submitted when acquiring an oAuth token.
+type ServicePrincipalSecret interface {
+	SetAuthenticationValues(spt *ServicePrincipalToken, values *url.Values) error
+}
+
+// ServicePrincipalTokenSecret implements ServicePrincipalSecret for client_secret type authorization.
+type ServicePrincipalTokenSecret struct {
+	ClientSecret string
+}
+
+// SetAuthenticationValues is a method of the interface ServicePrincipalSecret.
+// It will populate the form submitted during oAuth Token Acquisition using the client_secret.
+func (tokenSecret *ServicePrincipalTokenSecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error {
+	v.Set("client_secret", tokenSecret.ClientSecret)
+	return nil
+}
+
+// ServicePrincipalCertificateSecret implements ServicePrincipalSecret for generic RSA cert auth with signed JWTs.
+type ServicePrincipalCertificateSecret struct {
+	Certificate *x509.Certificate
+	PrivateKey  *rsa.PrivateKey
+}
+
+// SignJwt returns the JWT signed with the certificate's private key.
+func (secret *ServicePrincipalCertificateSecret) SignJwt(spt *ServicePrincipalToken) (string, error) {
+	hasher := sha1.New()
+	_, err := hasher.Write(secret.Certificate.Raw)
+	if err != nil {
+		return "", err
+	}
+
+	thumbprint := base64.URLEncoding.EncodeToString(hasher.Sum(nil))
+
+	// The jti (JWT ID) claim provides a unique identifier for the JWT.
+	jti := make([]byte, 20)
+	_, err = rand.Read(jti)
+	if err != nil {
+		return "", err
+	}
+
+	token := jwt.New(jwt.SigningMethodRS256)
+	token.Header["x5t"] = thumbprint
+	token.Claims = jwt.MapClaims{
+		"aud": spt.oauthConfig.TokenEndpoint.String(),
+		"iss": spt.clientID,
+		"sub": spt.clientID,
+		"jti": base64.URLEncoding.EncodeToString(jti),
+		"nbf": time.Now().Unix(),
+		"exp": time.Now().Add(time.Hour * 24).Unix(),
+	}
+
+	signedString, err := token.SignedString(secret.PrivateKey)
+	return signedString, err
+}
+
+// SetAuthenticationValues is a method of the interface ServicePrincipalSecret.
+// It will populate the form submitted during oAuth Token Acquisition using a JWT signed with a certificate.
+func (secret *ServicePrincipalCertificateSecret) SetAuthenticationValues(spt *ServicePrincipalToken, v *url.Values) error {
+	jwt, err := secret.SignJwt(spt)
+	if err != nil {
+		return err
+	}
+
+	v.Set("client_assertion", jwt)
+	v.Set("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer")
+	return nil
+}
+
+// ServicePrincipalToken encapsulates a Token created for a Service Principal.
+type ServicePrincipalToken struct {
+	Token
+
+	secret        ServicePrincipalSecret
+	oauthConfig   OAuthConfig
+	clientID      string
+	resource      string
+	autoRefresh   bool
+	refreshWithin time.Duration
+	sender        autorest.Sender
+
+	refreshCallbacks []TokenRefreshCallback
+}
+
+// NewServicePrincipalTokenWithSecret create a ServicePrincipalToken using the supplied ServicePrincipalSecret implementation.
+func NewServicePrincipalTokenWithSecret(oauthConfig OAuthConfig, id string, resource string, secret ServicePrincipalSecret, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error) {
+	spt := &ServicePrincipalToken{
+		oauthConfig:      oauthConfig,
+		secret:           secret,
+		clientID:         id,
+		resource:         resource,
+		autoRefresh:      true,
+		refreshWithin:    defaultRefresh,
+		sender:           &http.Client{},
+		refreshCallbacks: callbacks,
+	}
+	return spt, nil
+}
+
+// NewServicePrincipalTokenFromManualToken creates a ServicePrincipalToken using the supplied token
+func NewServicePrincipalTokenFromManualToken(oauthConfig OAuthConfig, clientID string, resource string, token Token, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error) {
+	spt, err := NewServicePrincipalTokenWithSecret(
+		oauthConfig,
+		clientID,
+		resource,
+		&ServicePrincipalNoSecret{},
+		callbacks...)
+	if err != nil {
+		return nil, err
+	}
+
+	spt.Token = token
+
+	return spt, nil
+}
+
+// NewServicePrincipalToken creates a ServicePrincipalToken from the supplied Service Principal
+// credentials scoped to the named resource.
+func NewServicePrincipalToken(oauthConfig OAuthConfig, clientID string, secret string, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error) {
+	return NewServicePrincipalTokenWithSecret(
+		oauthConfig,
+		clientID,
+		resource,
+		&ServicePrincipalTokenSecret{
+			ClientSecret: secret,
+		},
+		callbacks...,
+	)
+}
+
+// NewServicePrincipalTokenFromCertificate create a ServicePrincipalToken from the supplied pkcs12 bytes.
+func NewServicePrincipalTokenFromCertificate(oauthConfig OAuthConfig, clientID string, certificate *x509.Certificate, privateKey *rsa.PrivateKey, resource string, callbacks ...TokenRefreshCallback) (*ServicePrincipalToken, error) {
+	return NewServicePrincipalTokenWithSecret(
+		oauthConfig,
+		clientID,
+		resource,
+		&ServicePrincipalCertificateSecret{
+			PrivateKey:  privateKey,
+			Certificate: certificate,
+		},
+		callbacks...,
+	)
+}
+
+// EnsureFresh will refresh the token if it will expire within the refresh window (as set by
+// RefreshWithin).
+func (spt *ServicePrincipalToken) EnsureFresh() error {
+	if spt.WillExpireIn(spt.refreshWithin) {
+		return spt.Refresh()
+	}
+	return nil
+}
+
+// InvokeRefreshCallbacks calls any TokenRefreshCallbacks that were added to the SPT during initialization
+func (spt *ServicePrincipalToken) InvokeRefreshCallbacks(token Token) error {
+	if spt.refreshCallbacks != nil {
+		for _, callback := range spt.refreshCallbacks {
+			err := callback(spt.Token)
+			if err != nil {
+				return autorest.NewErrorWithError(err,
+					"azure.ServicePrincipalToken", "InvokeRefreshCallbacks", nil, "A TokenRefreshCallback handler returned an error")
+			}
+		}
+	}
+	return nil
+}
+
+// Refresh obtains a fresh token for the Service Principal.
+func (spt *ServicePrincipalToken) Refresh() error {
+	return spt.refreshInternal(spt.resource)
+}
+
+// RefreshExchange refreshes the token, but for a different resource.
+func (spt *ServicePrincipalToken) RefreshExchange(resource string) error {
+	return spt.refreshInternal(resource)
+}
+
+func (spt *ServicePrincipalToken) refreshInternal(resource string) error {
+	v := url.Values{}
+	v.Set("client_id", spt.clientID)
+	v.Set("resource", resource)
+
+	if spt.RefreshToken != "" {
+		v.Set("grant_type", OAuthGrantTypeRefreshToken)
+		v.Set("refresh_token", spt.RefreshToken)
+	} else {
+		v.Set("grant_type", OAuthGrantTypeClientCredentials)
+		err := spt.secret.SetAuthenticationValues(spt, &v)
+		if err != nil {
+			return err
+		}
+	}
+
+	req, _ := autorest.Prepare(&http.Request{},
+		autorest.AsPost(),
+		autorest.AsFormURLEncoded(),
+		autorest.WithBaseURL(spt.oauthConfig.TokenEndpoint.String()),
+		autorest.WithFormData(v))
+
+	resp, err := autorest.SendWithSender(spt.sender, req)
+	if err != nil {
+		return autorest.NewErrorWithError(err,
+			"azure.ServicePrincipalToken", "Refresh", resp, "Failure sending request for Service Principal %s",
+			spt.clientID)
+	}
+
+	var newToken Token
+	err = autorest.Respond(resp,
+		autorest.WithErrorUnlessStatusCode(http.StatusOK),
+		autorest.ByUnmarshallingJSON(&newToken),
+		autorest.ByClosing())
+	if err != nil {
+		return autorest.NewErrorWithError(err,
+			"azure.ServicePrincipalToken", "Refresh", resp, "Failure handling response to Service Principal %s request",
+			spt.clientID)
+	}
+
+	spt.Token = newToken
+
+	err = spt.InvokeRefreshCallbacks(newToken)
+	if err != nil {
+		// its already wrapped inside InvokeRefreshCallbacks
+		return err
+	}
+
+	return nil
+}
+
+// SetAutoRefresh enables or disables automatic refreshing of stale tokens.
+func (spt *ServicePrincipalToken) SetAutoRefresh(autoRefresh bool) {
+	spt.autoRefresh = autoRefresh
+}
+
+// SetRefreshWithin sets the interval within which if the token will expire, EnsureFresh will
+// refresh the token.
+func (spt *ServicePrincipalToken) SetRefreshWithin(d time.Duration) {
+	spt.refreshWithin = d
+	return
+}
+
+// SetSender sets the autorest.Sender used when obtaining the Service Principal token. An
+// undecorated http.Client is used by default.
+func (spt *ServicePrincipalToken) SetSender(s autorest.Sender) {
+	spt.sender = s
+}
+
+// WithAuthorization returns a PrepareDecorator that adds an HTTP Authorization header whose
+// value is "Bearer " followed by the AccessToken of the ServicePrincipalToken.
+//
+// By default, the token will automatically refresh if nearly expired (as determined by the
+// RefreshWithin interval). Use the AutoRefresh method to enable or disable automatically refreshing
+// tokens.
+func (spt *ServicePrincipalToken) WithAuthorization() autorest.PrepareDecorator {
+	return func(p autorest.Preparer) autorest.Preparer {
+		return autorest.PreparerFunc(func(r *http.Request) (*http.Request, error) {
+			if spt.autoRefresh {
+				err := spt.EnsureFresh()
+				if err != nil {
+					return r, autorest.NewErrorWithError(err,
+						"azure.ServicePrincipalToken", "WithAuthorization", nil, "Failed to refresh Service Principal Token for request to %s",
+						r.URL)
+				}
+			}
+			return (autorest.WithBearerAuthorization(spt.AccessToken)(p)).Prepare(r)
+		})
+	}
+}