def test_multitenant_authentication_not_allowed(): expected_token = "***" def fake_Popen(command, **_): assert command[-1].startswith("pwsh -NonInteractive -EncodedCommand ") encoded_script = command[-1].split()[-1] decoded_script = base64.b64decode(encoded_script).decode("utf-16-le") match = re.search( r"Get-AzAccessToken -ResourceUrl '(\S+)'(?: -TenantId (\S+))?", decoded_script) tenant = match.groups()[1] assert tenant is None, "credential shouldn't accept an explicit tenant ID" stdout = "azsdk%{}%{}".format(expected_token, int(time.time()) + 3600) communicate = Mock(return_value=(stdout, "")) return Mock(communicate=communicate, returncode=0) credential = AzurePowerShellCredential() with patch(POPEN, fake_Popen): token = credential.get_token("scope") assert token.token == expected_token with patch.dict("os.environ", { EnvironmentVariables.AZURE_IDENTITY_DISABLE_MULTITENANTAUTH: "true" }): token = credential.get_token("scope", tenant_id="some tenant") assert token.token == expected_token
def test_multitenant_authentication(): first_token = "***" second_tenant = "second-tenant" second_token = first_token * 2 def fake_Popen(command, **_): assert command[-1].startswith("pwsh -NonInteractive -EncodedCommand ") encoded_script = command[-1].split()[-1] decoded_script = base64.b64decode(encoded_script).decode("utf-16-le") match = re.search( r"Get-AzAccessToken -ResourceUrl '(\S+)'(?: -TenantId (\S+))?", decoded_script) tenant = match.groups()[1] assert tenant is None or tenant == second_tenant, 'unexpected tenant "{}"'.format( tenant) token = first_token if tenant is None else second_token stdout = "azsdk%{}%{}".format(token, int(time.time()) + 3600) communicate = Mock(return_value=(stdout, "")) return Mock(communicate=communicate, returncode=0) credential = AzurePowerShellCredential() with patch(POPEN, fake_Popen): token = credential.get_token("scope") assert token.token == first_token token = credential.get_token("scope", tenant_id=second_tenant) assert token.token == second_token # should still default to the first tenant token = credential.get_token("scope") assert token.token == first_token
def test_multitenant_authentication_not_allowed(): """get_token(tenant_id=...) should raise when allow_multitenant_authentication is False (the default)""" expected_token = "***" def fake_Popen(command, **_): assert command[-1].startswith("pwsh -NonInteractive -EncodedCommand ") encoded_script = command[-1].split()[-1] decoded_script = base64.b64decode(encoded_script).decode("utf-16-le") match = re.search( r"Get-AzAccessToken -ResourceUrl '(\S+)'(?: -TenantId (\S+))?", decoded_script) tenant = match.groups()[1] assert tenant is None, "credential shouldn't accept an explicit tenant ID" stdout = "azsdk%{}%{}".format(expected_token, int(time.time()) + 3600) communicate = Mock(return_value=(stdout, "")) return Mock(communicate=communicate, returncode=0) credential = AzurePowerShellCredential() with patch(POPEN, fake_Popen): token = credential.get_token("scope") assert token.token == expected_token # specifying a tenant should get an error with pytest.raises(ClientAuthenticationError, match="allow_multitenant_authentication"): credential.get_token("scope", tenant_id="some tenant") # ...unless the compat switch is enabled with patch.dict( "os.environ", { EnvironmentVariables.AZURE_IDENTITY_ENABLE_LEGACY_TENANT_SELECTION: "true" }): token = credential.get_token("scope", tenant_id="some tenant") assert ( token.token == expected_token ), "credential should ignore tenant_id kwarg when the compat switch is enabled"