Azure · gapra-msft · Feb 6, 2024 · Feb 2, 2024 · Feb 5, 2024
@@ -45,6 +45,16 @@ import (
 var once sync.Once
 var autoOAuth sync.Once
 
+var sharedKeyDeprecation sync.Once
+var sharedKeyDeprecationMessage = "*** WARNING *** shared key authentication for datalake is deprecated and will be removed in a future release. Please use shared access signature (SAS) or OAuth for authentication."
+
+func warnIfSharedKeyAuthForDatalake() {
+	sharedKeyDeprecation.Do(func() {
+		glcm.Warn(sharedKeyDeprecationMessage)
+		jobsAdmin.JobsAdmin.LogToJobLog(sharedKeyDeprecationMessage, common.LogWarning)
+	})
+}
+
 // only one UserOAuthTokenManager should exists in azcopy-v2 process in cmd(FE) module for current user.
 // (given appAppPathFolder is mapped to current user)
 var currentUserOAuthTokenManager *common.UserOAuthTokenManager
@@ -352,7 +362,7 @@ var authMessagesAlreadyLogged = &sync.Map{}
 func isPublic(ctx context.Context, blobResourceURL string, cpkOptions common.CpkOptions) (isPublicResource bool) {
 	bURLParts, err := blob.ParseURL(blobResourceURL)
 	if err != nil {
-		return false;
+		return false
 	}
 
 	if bURLParts.ContainerName == "" || strings.Contains(bURLParts.ContainerName, "*") {
@@ -414,7 +424,7 @@ func mdAccountNeedsOAuth(ctx context.Context, blobResourceURL string, cpkOptions
 		if respErr.StatusCode == 401 || respErr.StatusCode == 403 { // *sometimes* the service can return 403s.
 			challenge := respErr.RawResponse.Header.Get("WWW-Authenticate")
 			if strings.Contains(challenge, common.MDResource) {
-				return true;
+				return true
 			}
 		}
 	}
@@ -433,9 +443,9 @@ func doGetCredentialTypeForLocation(ctx context.Context, location common.Locatio
 	case common.ELocation.Local(), common.ELocation.Benchmark(), common.ELocation.None(), common.ELocation.Pipe():
 		return common.ECredentialType.Anonymous(), false, nil
 	}
-	
-	defer func() { 
-		logAuthType(credType, location, isSource) 
+
+	defer func() {
+		logAuthType(credType, location, isSource)
 	}()
 
 	// caution: If auth-type is unsafe, below defer statement will change the return value credType
@@ -451,11 +461,11 @@ func doGetCredentialTypeForLocation(ctx context.Context, location common.Locatio
 	}()
 
 	if getForcedCredType() != common.ECredentialType.Unknown() &&
-			location != common.ELocation.S3() && location != common.ELocation.GCP() {
-				credType = getForcedCredType()
-				return
+		location != common.ELocation.S3() && location != common.ELocation.GCP() {
+		credType = getForcedCredType()
+		return
 	}
-	
+
 	if location == common.ELocation.S3() {
 		accessKeyID := glcm.GetEnvironmentVariable(common.EEnvironmentVariable.AWSAccessKeyID())
 		secretAccessKey := glcm.GetEnvironmentVariable(common.EEnvironmentVariable.AWSSecretAccessKey())
@@ -468,7 +478,7 @@ func doGetCredentialTypeForLocation(ctx context.Context, location common.Locatio
 		credType = common.ECredentialType.S3AccessKey()
 		return
 	}
-	
+
 	if location == common.ELocation.GCP() {
 		googleAppCredentials := glcm.GetEnvironmentVariable(common.EEnvironmentVariable.GoogleAppCredentials())
 		if googleAppCredentials == "" {
@@ -515,6 +525,7 @@ func doGetCredentialTypeForLocation(ctx context.Context, location common.Locatio
 		key := glcm.GetEnvironmentVariable(common.EEnvironmentVariable.AccountKey())
 		if name != "" && key != "" { // TODO: To remove, use for internal testing, SharedKey should not be supported from commandline
 			credType = common.ECredentialType.SharedKey()
+			warnIfSharedKeyAuthForDatalake()
 		}
 	}
 

@@ -75,6 +75,7 @@ func (i *interceptor) reset() {
 // this lifecycle manager substitute does not perform any action
 type mockedLifecycleManager struct {
 	infoLog      chan string
+	warnLog      chan string
 	errorLog     chan string
 	progressLog  chan string
 	exitLog      chan string
@@ -105,6 +106,12 @@ func (m *mockedLifecycleManager) Info(msg string) {
 	default:
 	}
 }
+func (m *mockedLifecycleManager) Warn(msg string) {
+	select {
+	case m.warnLog <- msg:
+	default:
+	}
+}
 func (m *mockedLifecycleManager) Dryrun(o common.OutputBuilder) {
 	select {
 	case m.dryrunLog <- o(m.outputFormat):
@@ -198,4 +205,4 @@ func (d *dummyProcessor) countFilesOnly() int {
 		}
 	}
 	return n
-}
+}
@@ -53,6 +53,7 @@ type LifecycleMgr interface {
 	Progress(OutputBuilder)                                      // print on the same line over and over again, not allowed to float up
 	Exit(OutputBuilder, ExitCode)                                // indicates successful execution exit after printing, allow user to specify exit code
 	Info(string)                                                 // simple print, allowed to float up
+	Warn(string)                                                 // simple print, allowed to float up
 	Dryrun(OutputBuilder)                                        // print files for dry run mode
 	Error(string)                                                // indicates fatal error, exit after printing, exit code is always Failed (1)
 	Prompt(message string, details PromptDetails) ResponseOption // ask the user a question(after erasing the progress), then return the response
@@ -288,6 +289,18 @@ func (lcm *lifecycleMgr) Info(msg string) {
 	}
 }
 
+func (lcm *lifecycleMgr) Warn(msg string) {
+
+	msg = lcm.logSanitizer.SanitizeLogMessage(msg) // sometimes error-like text comes through Info, before the final "we've failed, please stop now" signal comes to Error. So we sanitize in both places.
+
+	infoMsg := fmt.Sprintf("WARN: %v", msg)
+
+	lcm.msgQueue <- outputMessage{
+		msgContent: infoMsg,
+		msgType:    eOutputMessageType.Info(),
+	}
+}
+
 func (lcm *lifecycleMgr) Prompt(message string, details PromptDetails) ResponseOption {
 
 	expectedInputChannel := make(chan string, 1)