def test_same_tenant_different_usernames():
"""two cached accounts, same tenant, different usernames"""
access_token_a = "access-token-a"
access_token_b = "access-token-b"
refresh_token_a = "refresh-token-a"
refresh_token_b = "refresh-token-b"
upn_a = "spam@eggs"
upn_b = "eggs@spam"
tenant_id = "the-tenant"
account_a = get_account_event(username=upn_a, uid="another-guid", utid=tenant_id, refresh_token=refresh_token_a)
account_b = get_account_event(username=upn_b, uid="more-guid", utid=tenant_id, refresh_token=refresh_token_b)
cache = populated_cache(account_a, account_b)
# with no username specified the credential can't select an identity
transport = Mock(side_effect=Exception()) # (so it shouldn't use the network)
credential = SharedTokenCacheCredential(tenant_id=tenant_id, _cache=cache, transport=transport)
with pytest.raises(ClientAuthenticationError) as ex:
credential.get_token("scope")
# error message should indicate multiple matching accounts, and list discovered accounts
assert ex.value.message.startswith(MULTIPLE_MATCHING_ACCOUNTS[: MULTIPLE_MATCHING_ACCOUNTS.index("{")])
discovered_accounts = ex.value.message.splitlines()[-1]
assert discovered_accounts.count(tenant_id) == 2
assert upn_a in discovered_accounts and upn_b in discovered_accounts
# with a username specified, the credential should auth the matching account
scope = "scope"
transport = validating_transport(
requests=[Request(required_data={"refresh_token": refresh_token_b, "scope": scope})],
responses=[mock_response(json_payload=build_aad_response(access_token=access_token_a))],
)
credential = SharedTokenCacheCredential(username=upn_b, _cache=cache, transport=transport)
token = credential.get_token(scope)
assert token.token == access_token_a
transport = validating_transport(
requests=[Request(required_data={"refresh_token": refresh_token_a, "scope": scope})],
responses=[mock_response(json_payload=build_aad_response(access_token=access_token_a))],
)
credential = SharedTokenCacheCredential(username=upn_a, _cache=cache, transport=transport)
token = credential.get_token(scope)
assert token.token == access_token_a
def test_same_username_different_tenants():
"""two cached accounts, same username, different tenants"""
access_token_a = "access-token-a"
access_token_b = "access-token-b"
refresh_token_a = "refresh-token-a"
refresh_token_b = "refresh-token-b"
upn = "spam@eggs"
tenant_a = "tenant-a"
tenant_b = "tenant-b"
account_a = get_account_event(username=upn, uid="another-guid", utid=tenant_a, refresh_token=refresh_token_a)
account_b = get_account_event(username=upn, uid="more-guid", utid=tenant_b, refresh_token=refresh_token_b)
cache = populated_cache(account_a, account_b)
# with no tenant specified the credential can't select an identity
transport = Mock(side_effect=Exception()) # (so it shouldn't use the network)
credential = SharedTokenCacheCredential(username=upn, _cache=cache, transport=transport)
with pytest.raises(CredentialUnavailableError) as ex:
credential.get_token("scope")
assert ex.value.message.startswith(MULTIPLE_MATCHING_ACCOUNTS[: MULTIPLE_MATCHING_ACCOUNTS.index("{")])
assert upn in ex.value.message
# with tenant specified, the credential should auth the matching account
scope = "scope"
transport = validating_transport(
requests=[Request(required_data={"refresh_token": refresh_token_a, "scope": scope})],
responses=[mock_response(json_payload=build_aad_response(access_token=access_token_a))],
)
credential = SharedTokenCacheCredential(tenant_id=tenant_a, _cache=cache, transport=transport)
token = credential.get_token(scope)
assert token.token == access_token_a
transport = validating_transport(
requests=[Request(required_data={"refresh_token": refresh_token_b, "scope": scope})],
responses=[mock_response(json_payload=build_aad_response(access_token=access_token_b))],
)
credential = SharedTokenCacheCredential(tenant_id=tenant_b, _cache=cache, transport=transport)
token = credential.get_token(scope)
assert token.token == access_token_b
