async def test_authority_aliases():
"""the credential should use a refresh token valid for any known alias of its authority"""
expected_access_token = "access-token"
for authority in KNOWN_ALIASES:
# cache a token for this authority
expected_refresh_token = authority.replace(".", "")
account = get_account_event(
"spam@eggs", "uid", "tenant", authority=authority, refresh_token=expected_refresh_token
)
cache = populated_cache(account)
# the token should be acceptable for this authority itself
transport = async_validating_transport(
requests=[Request(authority=authority, required_data={"refresh_token": expected_refresh_token})],
responses=[mock_response(json_payload=build_aad_response(access_token=expected_access_token))],
)
credential = SharedTokenCacheCredential(authority=authority, _cache=cache, transport=transport)
token = await credential.get_token("scope")
assert token.token == expected_access_token
# it should also be acceptable for every known alias of this authority
for alias in KNOWN_ALIASES[authority]:
transport = async_validating_transport(
requests=[Request(authority=alias, required_data={"refresh_token": expected_refresh_token})],
responses=[mock_response(json_payload=build_aad_response(access_token=expected_access_token))],
)
credential = SharedTokenCacheCredential(authority=alias, _cache=cache, transport=transport)
token = await credential.get_token("scope")
assert token.token == expected_access_token
async def test_no_matching_account_for_tenant_or_username():
"""two cached accounts, username and tenant specified, one account matches each -> credential should raise"""
refresh_token_a = "refresh-token-a"
refresh_token_b = "refresh-token-b"
upn_a = "a@foo"
upn_b = "b@foo"
tenant_a = "tenant-a"
tenant_b = "tenant-b"
account_a = get_account_event(username=upn_a, uid="uid_a", utid=tenant_a, refresh_token=refresh_token_a)
account_b = get_account_event(username=upn_b, uid="uid_b", utid=tenant_b, refresh_token=refresh_token_b)
cache = populated_cache(account_a, account_b)
transport = Mock(side_effect=Exception()) # credential shouldn't use the network
credential = SharedTokenCacheCredential(username=upn_a, tenant_id=tenant_b, _cache=cache, transport=transport)
with pytest.raises(CredentialUnavailableError) as ex:
await credential.get_token("scope")
assert ex.value.message.startswith(NO_MATCHING_ACCOUNTS[: NO_MATCHING_ACCOUNTS.index("{")])
assert upn_a in ex.value.message and tenant_b in ex.value.message
credential = SharedTokenCacheCredential(username=upn_b, tenant_id=tenant_a, _cache=cache, transport=transport)
with pytest.raises(CredentialUnavailableError) as ex:
await credential.get_token("scope")
assert ex.value.message.startswith(NO_MATCHING_ACCOUNTS[: NO_MATCHING_ACCOUNTS.index("{")])
assert upn_b in ex.value.message and tenant_a in ex.value.message
async def test_allow_unencrypted_cache():
"""The credential should use an unencrypted cache when encryption is unavailable and the user explicitly allows it.
This test was written when Linux was the only platform on which encryption may not be available.
"""
platform_patch = patch("azure.identity._internal.persistent_cache.sys.platform", "linux2")
platform_patch.start()
msal_extensions_patch = patch("azure.identity._internal.persistent_cache.msal_extensions")
mock_extensions = msal_extensions_patch.start()
# the credential should prefer an encrypted cache even when the user allows an unencrypted one
SharedTokenCacheCredential(allow_unencrypted_cache=True)
assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.LibsecretPersistence)
mock_extensions.PersistedTokenCache.reset_mock()
# (when LibsecretPersistence's dependencies aren't available, constructing it raises ImportError)
mock_extensions.LibsecretPersistence = Mock(side_effect=ImportError)
# encryption unavailable, no opt in to unencrypted cache -> credential should be unavailable
credential = SharedTokenCacheCredential()
assert mock_extensions.PersistedTokenCache.call_count == 0
with pytest.raises(CredentialUnavailableError):
await credential.get_token("scope")
# still no encryption, but now we allow the unencrypted fallback
SharedTokenCacheCredential(allow_unencrypted_cache=True)
assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.FilePersistence)
msal_extensions_patch.stop()
platform_patch.stop()
def _initialize_credentials(self):
if self.subscription_id is not None \
and self.arm_base_url is not None:
if self.vscode_tenant_id is None:
self.vscode_tenant_id = self._get_tenant_id(
arm_base_url=self.arm_base_url,
subscription_id=self.subscription_id)
if self.shared_cache_tenant_id is None:
self.shared_cache_tenant_id = self._get_tenant_id(
arm_base_url=self.arm_base_url,
subscription_id=self.subscription_id)
if self.interactive_browser_tenant_id is None:
self.interactive_browser_tenant_id = self._get_tenant_id(
arm_base_url=self.arm_base_url,
subscription_id=self.subscription_id)
credentials = [] # type: List[AsyncTokenCredential]
if not self.exclude_token_file_credential:
credentials.append(_TokenFileCredential())
if not self.exclude_environment_credential:
credentials.append(EnvironmentCredential(authority=self.authority))
if not self.exclude_managed_identity_credential:
credentials.append(
ManagedIdentityCredential(
client_id=self.managed_identity_client_id))
if not self.exclude_shared_token_cache_credential and SharedTokenCacheCredential.supported(
):
try:
# username and/or tenant_id are only required when the cache contains tokens for multiple identities
shared_cache = SharedTokenCacheCredential(
username=self.shared_cache_username,
tenant_id=self.shared_cache_tenant_id,
authority=self.authority)
credentials.append(shared_cache)
except Exception as ex: # pylint:disable=broad-except
_LOGGER.info("Shared token cache is unavailable: '%s'", ex)
if not self.exclude_visual_studio_code_credential:
credentials.append(
VisualStudioCodeCredential(tenant_id=self.vscode_tenant_id))
if not self.exclude_cli_credential:
credentials.append(AzureCliCredential())
if not self.exclude_powershell_credential:
credentials.append(AzurePowerShellCredential())
if not self.exclude_interactive_browser_credential:
credentials.append(
InteractiveBrowserCredential(
tenant_id=self.interactive_browser_tenant_id))
if not self.exclude_device_code_credential:
credentials.append(
DeviceCodeCredential(
tenant_id=self.interactive_browser_tenant_id))
self.credentials = credentials
async def test_no_refresh_token():
"""one cached account, account has no refresh token -> credential should raise"""
account = get_account_event(uid="uid_a", utid="utid", username="******", refresh_token=None)
cache = populated_cache(account)
transport = Mock(side_effect=Exception()) # credential shouldn't use the network
credential = SharedTokenCacheCredential(_cache=cache, transport=transport)
with pytest.raises(CredentialUnavailableError, match=NO_ACCOUNTS):
await credential.get_token("scope")
credential = SharedTokenCacheCredential(_cache=cache, transport=transport, username="******")
with pytest.raises(CredentialUnavailableError, match=NO_ACCOUNTS):
await credential.get_token("scope")
async def test_authority_environment_variable():
"""the credential should accept an authority by environment variable when none is otherwise specified"""
authority = "localhost"
expected_access_token = "access-token"
expected_refresh_token = "refresh-token"
account = get_account_event("spam@eggs",
"uid",
"tenant",
authority=authority,
refresh_token=expected_refresh_token)
cache = populated_cache(account)
transport = async_validating_transport(
requests=[
Request(authority=authority,
required_data={"refresh_token": expected_refresh_token})
],
responses=[
mock_response(json_payload=build_aad_response(
access_token=expected_access_token))
],
)
with patch.dict("os.environ",
{EnvironmentVariables.AZURE_AUTHORITY_HOST: authority},
clear=True):
credential = SharedTokenCacheCredential(transport=transport,
_cache=cache)
token = await credential.get_token("scope")
assert token.token == expected_access_token
async def test_multitenant_authentication_not_allowed():
default_tenant = "organizations"
expected_token = "***"
async def send(request, **_):
parsed = urlparse(request.url)
tenant_id = parsed.path.split("/")[1]
assert tenant_id == default_tenant
return mock_response(
json_payload=build_aad_response(
access_token=expected_token,
id_token_claims=id_token_claims(aud="...", iss="...", sub="..."),
)
)
authority = "localhost"
expected_account = get_account_event(
"user", "object-id", "tenant-id", authority=authority, client_id="client-id", refresh_token="**"
)
cache = populated_cache(expected_account)
credential = SharedTokenCacheCredential(authority=authority, transport=Mock(send=send), _cache=cache)
token = await credential.get_token("scope")
assert token.token == expected_token
token = await credential.get_token("scope", tenant_id=default_tenant)
assert token.token == expected_token
with patch.dict("os.environ", {EnvironmentVariables.AZURE_IDENTITY_DISABLE_MULTITENANTAUTH: "true"}):
token = await credential.get_token("scope", tenant_id="some tenant")
assert token.token == expected_token
async def test_auth_record_multiple_accounts_for_username():
tenant_id = "tenant-id"
client_id = "client-id"
authority = "localhost"
object_id = "object-id"
home_account_id = object_id + "." + tenant_id
username = "******"
record = AuthenticationRecord(tenant_id, client_id, authority, home_account_id, username)
expected_access_token = "****"
expected_refresh_token = "**"
expected_account = get_account_event(
username, object_id, tenant_id, authority=authority, client_id=client_id, refresh_token=expected_refresh_token
)
cache = populated_cache(
expected_account,
get_account_event( # this account matches all but the record's tenant
username,
object_id,
"different-" + tenant_id,
authority=authority,
client_id=client_id,
refresh_token="not-" + expected_refresh_token,
),
)
transport = async_validating_transport(
requests=[Request(authority=authority, required_data={"refresh_token": expected_refresh_token})],
responses=[mock_response(json_payload=build_aad_response(access_token=expected_access_token))],
)
credential = SharedTokenCacheCredential(authentication_record=record, transport=transport, _cache=cache)
token = await credential.get_token("scope")
assert token.token == expected_access_token
async def test_single_account():
"""one cached account, no username specified -> credential should auth that account"""
refresh_token = "refresh-token"
scope = "scope"
account = get_account_event(uid="uid_a",
utid="utid",
username="******",
refresh_token=refresh_token)
cache = populated_cache(account)
expected_token = "***"
transport = async_validating_transport(
requests=[
Request(required_data={
"refresh_token": refresh_token,
"scope": scope
})
],
responses=[
mock_response(json_payload=build_aad_response(
access_token=expected_token))
],
)
credential = SharedTokenCacheCredential(_cache=cache, transport=transport)
token = await credential.get_token(scope)
assert token.token == expected_token
async def test_authority_with_no_known_alias():
"""given an appropriate token, an authority with no known aliases should work"""
authority = "unknown.authority"
expected_access_token = "access-token"
expected_refresh_token = "refresh-token"
account = get_account_event("spam@eggs",
"uid",
"tenant",
authority=authority,
refresh_token=expected_refresh_token)
cache = populated_cache(account)
transport = async_validating_transport(
requests=[
Request(authority=authority,
required_data={"refresh_token": expected_refresh_token})
],
responses=[
mock_response(json_payload=build_aad_response(
access_token=expected_access_token))
],
)
credential = SharedTokenCacheCredential(authority=authority,
_cache=cache,
transport=transport)
token = await credential.get_token("scope")
assert token.token == expected_access_token
async def test_authentication_record_empty_cache():
record = AuthenticationRecord("tenant_id", "client_id", "authority", "home_account_id", "username")
transport = Mock(side_effect=Exception("the credential shouldn't send a request"))
credential = SharedTokenCacheCredential(authentication_record=record, transport=transport, _cache=TokenCache())
with pytest.raises(CredentialUnavailableError):
await credential.get_token("scope")
async def test_two_accounts_username_specified():
"""two cached accounts, username specified, one account matches -> credential should auth that account"""
scope = "scope"
expected_refresh_token = "refresh-token-a"
upn_a = "a@foo"
upn_b = "b@foo"
account_a = get_account_event(username=upn_a,
uid="uid_a",
utid="utid",
refresh_token=expected_refresh_token)
account_b = get_account_event(username=upn_b,
uid="uid_b",
utid="utid",
refresh_token="refresh_token_b")
cache = populated_cache(account_a, account_b)
expected_token = "***"
transport = async_validating_transport(
requests=[
Request(required_data={
"refresh_token": expected_refresh_token,
"scope": scope
})
],
responses=[
mock_response(json_payload=build_aad_response(
access_token=expected_token))
],
)
credential = SharedTokenCacheCredential(username=upn_a,
_cache=cache,
transport=transport)
token = await credential.get_token(scope)
assert token.token == expected_token
def test_exclude_options():
def assert_credentials_not_present(chain, *credential_classes):
actual = {c.__class__ for c in chain.credentials}
assert len(actual)
# no unexpected credential is in the chain
excluded = set(credential_classes)
assert len(actual & excluded) == 0
# only excluded credentials have been excluded from the default
default = {c.__class__ for c in DefaultAzureCredential().credentials}
assert actual <= default # n.b. we know actual is non-empty
assert default - actual <= excluded
# with no environment variables set, ManagedIdentityCredential = ImdsCredential
with patch("os.environ", {}):
credential = DefaultAzureCredential(
exclude_managed_identity_credential=True)
assert_credentials_not_present(credential, ImdsCredential,
MsiCredential)
# with $MSI_ENDPOINT set, ManagedIdentityCredential = MsiCredential
with patch("os.environ", {"MSI_ENDPOINT": "spam"}):
credential = DefaultAzureCredential(
exclude_managed_identity_credential=True)
assert_credentials_not_present(credential, ImdsCredential,
MsiCredential)
if SharedTokenCacheCredential.supported():
credential = DefaultAzureCredential(
exclude_shared_token_cache_credential=True)
assert_credentials_not_present(credential, SharedTokenCacheCredential)
async def test_authentication_record_no_match():
tenant_id = "tenant-id"
client_id = "client-id"
authority = "localhost"
object_id = "object-id"
home_account_id = object_id + "." + tenant_id
username = "******"
record = AuthenticationRecord(tenant_id, client_id, authority,
home_account_id, username)
transport = Mock(
side_effect=Exception("the credential shouldn't send a request"))
cache = populated_cache(
get_account_event(
"not-" + username,
"not-" + object_id,
"different-" + tenant_id,
client_id="not-" + client_id,
), )
credential = SharedTokenCacheCredential(_authentication_record=record,
transport=transport,
_cache=cache)
with pytest.raises(CredentialUnavailableError):
await credential.get_token("scope")
def test_exclude_options():
def assert_credentials_not_present(chain, *credential_classes):
actual = {c.__class__ for c in chain.credentials}
assert len(actual)
# no unexpected credential is in the chain
excluded = set(credential_classes)
assert len(actual & excluded) == 0
# only excluded credentials have been excluded from the default
default = {c.__class__ for c in DefaultAzureCredential().credentials}
assert actual <= default # n.b. we know actual is non-empty
assert default - actual <= excluded
# when exclude_managed_identity_credential is set to True, check if ManagedIdentityCredential instance is not present
credential = DefaultAzureCredential(
exclude_managed_identity_credential=True)
assert_credentials_not_present(credential, ManagedIdentityCredential)
if SharedTokenCacheCredential.supported():
credential = DefaultAzureCredential(
exclude_shared_token_cache_credential=True)
assert_credentials_not_present(credential, SharedTokenCacheCredential)
credential = DefaultAzureCredential(exclude_cli_credential=True)
assert_credentials_not_present(credential, AzureCliCredential)
credential = DefaultAzureCredential(
exclude_visual_studio_code_credential=True)
assert_credentials_not_present(credential, VSCodeCredential)
async def test_close():
transport = AsyncMockTransport()
credential = SharedTokenCacheCredential(_cache=populated_cache(
get_account_event("test@user", "uid", "utid")),
transport=transport)
await credential.close()
assert transport.__aexit__.call_count == 1
async def test_same_tenant_different_usernames():
"""two cached accounts, same tenant, different usernames"""
access_token_a = "access-token-a"
access_token_b = "access-token-b"
refresh_token_a = "refresh-token-a"
refresh_token_b = "refresh-token-b"
upn_a = "spam@eggs"
upn_b = "eggs@spam"
tenant_id = "the-tenant"
account_a = get_account_event(username=upn_a, uid="another-guid", utid=tenant_id, refresh_token=refresh_token_a)
account_b = get_account_event(username=upn_b, uid="more-guid", utid=tenant_id, refresh_token=refresh_token_b)
cache = populated_cache(account_a, account_b)
# with no username specified the credential can't select an identity
transport = Mock(side_effect=Exception()) # (so it shouldn't use the network)
credential = SharedTokenCacheCredential(tenant_id=tenant_id, _cache=cache, transport=transport)
with pytest.raises(ClientAuthenticationError) as ex:
await credential.get_token("scope")
# error message should indicate multiple matching accounts, and list discovered accounts
assert ex.value.message.startswith(MULTIPLE_MATCHING_ACCOUNTS[: MULTIPLE_MATCHING_ACCOUNTS.index("{")])
discovered_accounts = ex.value.message.splitlines()[-1]
assert discovered_accounts.count(tenant_id) == 2
assert upn_a in discovered_accounts and upn_b in discovered_accounts
# with a username specified, the credential should auth the matching account
scope = "scope"
transport = async_validating_transport(
requests=[Request(required_data={"refresh_token": refresh_token_b, "scope": scope})],
responses=[mock_response(json_payload=build_aad_response(access_token=access_token_a))],
)
credential = SharedTokenCacheCredential(username=upn_b, _cache=cache, transport=transport)
token = await credential.get_token(scope)
assert token.token == access_token_a
transport = async_validating_transport(
requests=[Request(required_data={"refresh_token": refresh_token_a, "scope": scope})],
responses=[mock_response(json_payload=build_aad_response(access_token=access_token_a))],
)
credential = SharedTokenCacheCredential(username=upn_a, _cache=cache, transport=transport)
token = await credential.get_token(scope)
assert token.token == access_token_a
async def test_empty_cache():
with pytest.raises(ClientAuthenticationError, match=NO_ACCOUNTS):
await SharedTokenCacheCredential(_cache=TokenCache()).get_token("scope")
with pytest.raises(ClientAuthenticationError, match=NO_ACCOUNTS):
await SharedTokenCacheCredential(_cache=TokenCache(), username="******").get_token("scope")
with pytest.raises(ClientAuthenticationError, match=NO_ACCOUNTS):
await SharedTokenCacheCredential(_cache=TokenCache(), tenant_id="not-cached").get_token("scope")
with pytest.raises(ClientAuthenticationError, match=NO_ACCOUNTS):
credential = SharedTokenCacheCredential(_cache=TokenCache(), tenant_id="not-cached", username="******")
await credential.get_token("scope")
async def test_context_manager():
transport = AsyncMockTransport()
credential = SharedTokenCacheCredential(_cache=populated_cache(
get_account_event("test@user", "uid", "utid")),
transport=transport)
async with credential:
assert transport.__aenter__.call_count == 1
assert transport.__aenter__.call_count == 1
assert transport.__aexit__.call_count == 1
async def test_user_agent():
transport = async_validating_transport(
requests=[Request(required_headers={"User-Agent": USER_AGENT})],
responses=[mock_response(json_payload=build_aad_response(access_token="**"))],
)
credential = SharedTokenCacheCredential(
_cache=populated_cache(get_account_event("test@user", "uid", "utid")), transport=transport
)
await credential.get_token("scope")
async def test_same_username_different_tenants():
"""two cached accounts, same username, different tenants"""
access_token_a = "access-token-a"
access_token_b = "access-token-b"
refresh_token_a = "refresh-token-a"
refresh_token_b = "refresh-token-b"
upn = "spam@eggs"
tenant_a = "tenant-a"
tenant_b = "tenant-b"
account_a = get_account_event(username=upn, uid="another-guid", utid=tenant_a, refresh_token=refresh_token_a)
account_b = get_account_event(username=upn, uid="more-guid", utid=tenant_b, refresh_token=refresh_token_b)
cache = populated_cache(account_a, account_b)
# with no tenant specified the credential can't select an identity
transport = Mock(side_effect=Exception()) # (so it shouldn't use the network)
credential = SharedTokenCacheCredential(username=upn, _cache=cache, transport=transport)
with pytest.raises(CredentialUnavailableError) as ex:
await credential.get_token("scope")
assert ex.value.message.startswith(MULTIPLE_MATCHING_ACCOUNTS[: MULTIPLE_MATCHING_ACCOUNTS.index("{")])
assert upn in ex.value.message
# with tenant specified, the credential should auth the matching account
scope = "scope"
transport = async_validating_transport(
requests=[Request(required_data={"refresh_token": refresh_token_a, "scope": scope})],
responses=[mock_response(json_payload=build_aad_response(access_token=access_token_a))],
)
credential = SharedTokenCacheCredential(tenant_id=tenant_a, _cache=cache, transport=transport)
token = await credential.get_token(scope)
assert token.token == access_token_a
transport = async_validating_transport(
requests=[Request(required_data={"refresh_token": refresh_token_b, "scope": scope})],
responses=[mock_response(json_payload=build_aad_response(access_token=access_token_b))],
)
credential = SharedTokenCacheCredential(tenant_id=tenant_b, _cache=cache, transport=transport)
token = await credential.get_token(scope)
assert token.token == access_token_b
async def test_empty_cache():
"""the credential should raise CredentialUnavailableError when the cache is empty"""
with pytest.raises(CredentialUnavailableError, match=NO_ACCOUNTS):
await SharedTokenCacheCredential(_cache=TokenCache()).get_token("scope")
with pytest.raises(CredentialUnavailableError, match=NO_ACCOUNTS):
await SharedTokenCacheCredential(_cache=TokenCache(), username="******").get_token("scope")
with pytest.raises(CredentialUnavailableError, match=NO_ACCOUNTS):
await SharedTokenCacheCredential(_cache=TokenCache(), tenant_id="not-cached").get_token("scope")
with pytest.raises(CredentialUnavailableError, match=NO_ACCOUNTS):
credential = SharedTokenCacheCredential(_cache=TokenCache(), tenant_id="not-cached", username="******")
await credential.get_token("scope")
async def test_context_manager_no_cache():
"""the credential shouldn't open/close sessions when instantiated in an environment with no cache"""
transport = AsyncMockTransport()
with patch.dict("azure.identity._internal.shared_token_cache.os.environ", {}, clear=True):
# clearing the environment ensures the credential won't try to load a cache
credential = SharedTokenCacheCredential(transport=transport)
async with credential:
assert transport.__aenter__.call_count == 0
assert transport.__aenter__.call_count == 0
assert transport.__aexit__.call_count == 0
async def test_context_manager_no_cache():
"""the credential shouldn't open/close sessions when instantiated in an environment with no cache"""
transport = AsyncMockTransport()
with patch("azure.identity._internal.shared_token_cache.load_user_cache", Mock(side_effect=NotImplementedError)):
credential = SharedTokenCacheCredential(transport=transport)
async with credential:
assert transport.__aenter__.call_count == 0
assert transport.__aenter__.call_count == 0
assert transport.__aexit__.call_count == 0
async def test_initialization():
"""the credential should attempt to load the cache only once, when it's first needed"""
with patch("azure.identity._internal.persistent_cache._load_persistent_cache") as mock_cache_loader:
mock_cache_loader.side_effect = Exception("it didn't work")
credential = SharedTokenCacheCredential()
assert mock_cache_loader.call_count == 0
for _ in range(2):
with pytest.raises(CredentialUnavailableError):
await credential.get_token("scope")
assert mock_cache_loader.call_count == 1
async def test_policies_configurable():
policy = Mock(spec_set=SansIOHTTPPolicy, on_request=Mock())
async def send(*_, **__):
return mock_response(json_payload=build_aad_response(access_token="**"))
credential = SharedTokenCacheCredential(
_cache=populated_cache(get_account_event("test@user", "uid", "utid")),
policies=[policy],
transport=Mock(send=send),
)
await credential.get_token("scope")
assert policy.on_request.called
async def test_close():
async def send(*_, **__):
return mock_response(json_payload=build_aad_response(access_token="**"))
transport = AsyncMockTransport(send=send)
credential = SharedTokenCacheCredential(
_cache=populated_cache(get_account_event("test@user", "uid", "utid")), transport=transport
)
# the credential doesn't open a transport session before one is needed, so we send a request
await credential.get_token("scope")
await credential.close()
assert transport.__aexit__.call_count == 1
def test_authentication_record_authenticating_tenant():
"""when given a record and 'tenant_id', the credential should authenticate in the latter"""
expected_tenant_id = "tenant-id"
record = AuthenticationRecord("not- " + expected_tenant_id, "...", "...",
"...", "...")
with patch.object(SharedTokenCacheCredential,
"_get_auth_client") as get_auth_client:
SharedTokenCacheCredential(authentication_record=record,
_cache=TokenCache(),
tenant_id=expected_tenant_id)
assert get_auth_client.call_count == 1
_, kwargs = get_auth_client.call_args
assert kwargs["tenant_id"] == expected_tenant_id
async def test_two_accounts_no_username_or_tenant():
"""two cached accounts, no username or tenant specified -> credential should raise"""
upn_a = "a@foo"
upn_b = "b@foo"
account_a = get_account_event(username=upn_a, uid="uid_a", utid="utid")
account_b = get_account_event(username=upn_b, uid="uid_b", utid="utid")
cache = populated_cache(account_a, account_b)
# credential can't select an identity => it shouldn't use the network
transport = Mock(side_effect=Exception())
# two users in the cache, no username specified -> CredentialUnavailableError
credential = SharedTokenCacheCredential(_cache=cache, transport=transport)
with pytest.raises(ClientAuthenticationError, match=MULTIPLE_ACCOUNTS) as ex:
await credential.get_token("scope")
async def test_multitenant_authentication_not_allowed():
"""get_token(tenant_id=...) should raise when allow_multitenant_authentication is False (the default)"""
default_tenant = "organizations"
expected_token = "***"
async def send(request, **_):
parsed = urlparse(request.url)
tenant_id = parsed.path.split("/")[1]
assert tenant_id == default_tenant
return mock_response(json_payload=build_aad_response(
access_token=expected_token,
id_token_claims=id_token_claims(aud="...", iss="...", sub="..."),
))
authority = "localhost"
expected_account = get_account_event("user",
"object-id",
"tenant-id",
authority=authority,
client_id="client-id",
refresh_token="**")
cache = populated_cache(expected_account)
credential = SharedTokenCacheCredential(authority=authority,
transport=Mock(send=send),
_cache=cache)
token = await credential.get_token("scope")
assert token.token == expected_token
# explicitly specifying the configured tenant is okay
token = await credential.get_token("scope", tenant_id=default_tenant)
assert token.token == expected_token
# but any other tenant should get an error
with pytest.raises(ClientAuthenticationError,
match="allow_multitenant_authentication"):
await credential.get_token("scope", tenant_id="some tenant")
# ...unless the compat switch is enabled
with patch.dict("os.environ", {
EnvironmentVariables.AZURE_IDENTITY_ENABLE_LEGACY_TENANT_SELECTION:
"true"
}):
token = await credential.get_token("scope", tenant_id="some tenant")
assert token.token == expected_token, "credential should ignore tenant_id kwarg when the compat switch is enabled"