async def test_bearer_policy_token_caching():
good_for_one_hour = AccessToken("token", time.time() + 3600)
expected_token = good_for_one_hour
get_token_calls = 0
async def get_token(_):
nonlocal get_token_calls
get_token_calls += 1
return expected_token
credential = Mock(get_token=get_token)
policies = [AsyncBearerTokenCredentialPolicy(credential, "scope"), Mock(send=asyncio.coroutine(lambda _: Mock()))]
pipeline = AsyncPipeline(transport=Mock, policies=policies)
await pipeline.run(HttpRequest("GET", "https://spam.eggs"))
assert get_token_calls == 1 # policy has no token at first request -> it should call get_token
await pipeline.run(HttpRequest("GET", "https://spam.eggs"))
assert get_token_calls == 1 # token is good for an hour -> policy should return it from cache
expired_token = AccessToken("token", time.time())
get_token_calls = 0
expected_token = expired_token
policies = [AsyncBearerTokenCredentialPolicy(credential, "scope"), Mock(send=asyncio.coroutine(lambda _: Mock()))]
pipeline = AsyncPipeline(transport=Mock(), policies=policies)
await pipeline.run(HttpRequest("GET", "https://spam.eggs"))
assert get_token_calls == 1
await pipeline.run(HttpRequest("GET", "https://spam.eggs"))
assert get_token_calls == 2 # token expired -> policy should call get_token
async def test_bearer_policy_adds_header():
"""The bearer token policy should add a header containing a token from its credential"""
# 2524608000 == 01/01/2050 @ 12:00am (UTC)
expected_token = AccessToken("expected_token", 2524608000)
async def verify_authorization_header(request):
assert request.http_request.headers[
"Authorization"] == "Bearer {}".format(expected_token.token)
return Mock()
get_token_calls = 0
async def get_token(_):
nonlocal get_token_calls
get_token_calls += 1
return expected_token
fake_credential = Mock(get_token=get_token)
policies = [
AsyncBearerTokenCredentialPolicy(fake_credential, "scope"),
Mock(send=verify_authorization_header)
]
pipeline = AsyncPipeline(transport=Mock(), policies=policies)
await pipeline.run(HttpRequest("GET", "https://spam.eggs"), context=None)
assert get_token_calls == 1
await pipeline.run(HttpRequest("GET", "https://spam.eggs"), context=None)
# Didn't need a new token
assert get_token_calls == 1
def _create_appconfig_pipeline(self, credential, base_url=None, aad_mode=False, **kwargs):
transport = kwargs.get('transport')
policies = kwargs.get('policies')
if policies is None: # [] is a valid policy list
if aad_mode:
scope = base_url.strip("/") + "/.default"
if hasattr(credential, "get_token"):
credential_policy = AsyncBearerTokenCredentialPolicy(credential, scope)
else:
raise TypeError("Please provide an instance from azure-identity "
"or a class that implement the 'get_token protocol")
else:
credential_policy = AppConfigRequestsCredentialsPolicy(credential)
policies = [
self._config.headers_policy,
self._config.user_agent_policy,
credential_policy,
self._config.retry_policy,
SyncTokenPolicy(),
self._config.logging_policy, # HTTP request/response log
DistributedTracingPolicy(**kwargs),
HttpLoggingPolicy(**kwargs),
]
if not transport:
transport = AsyncioRequestsTransport(**kwargs)
return AsyncPipeline(
transport,
policies,
)
async def test_bearer_policy_optionally_enforces_https():
"""HTTPS enforcement should be controlled by a keyword argument, and enabled by default"""
async def assert_option_popped(request, **kwargs):
assert "enforce_https" not in kwargs, "AsyncBearerTokenCredentialPolicy didn't pop the 'enforce_https' option"
credential = Mock(get_token=lambda *_, **__: get_completed_future(
AccessToken("***", 42)))
pipeline = AsyncPipeline(
transport=Mock(send=assert_option_popped),
policies=[AsyncBearerTokenCredentialPolicy(credential, "scope")])
# by default and when enforce_https=True, the policy should raise when given an insecure request
with pytest.raises(ServiceRequestError):
await pipeline.run(HttpRequest("GET", "http://not.secure"))
with pytest.raises(ServiceRequestError):
await pipeline.run(HttpRequest("GET", "http://not.secure"),
enforce_https=True)
# when enforce_https=False, an insecure request should pass
await pipeline.run(HttpRequest("GET", "http://not.secure"),
enforce_https=False)
# https requests should always pass
await pipeline.run(HttpRequest("GET", "https://secure"),
enforce_https=False)
await pipeline.run(HttpRequest("GET", "https://secure"),
enforce_https=True)
await pipeline.run(HttpRequest("GET", "https://secure"))
def __init__(self, endpoint: str, credential: CommunicationTokenCredential,
thread_id: str, **kwargs: Any): # type: (...) -> None
if not thread_id:
raise ValueError("thread_id can not be None or empty")
if not credential:
raise ValueError("credential can not be None")
try:
if not endpoint.lower().startswith('http'):
endpoint = "https://" + endpoint
except AttributeError:
raise ValueError("Host URL must be a string")
parsed_url = urlparse(endpoint.rstrip('/'))
if not parsed_url.netloc:
raise ValueError("Invalid URL: {}".format(endpoint))
self._thread_id = thread_id
self._endpoint = endpoint
self._credential = credential
self._client = AzureCommunicationChatService(
endpoint,
authentication_policy=AsyncBearerTokenCredentialPolicy(
self._credential),
sdk_moniker=SDK_MONIKER,
**kwargs)
async def test_bearer_policy_adds_header():
"""The bearer token policy should add a header containing a token from its credential"""
expected_token = "expected_token"
async def verify_authorization_header(request):
assert request.http_request.headers[
"Authorization"] == "Bearer {}".format(expected_token)
get_token_calls = 0
async def get_token(_):
nonlocal get_token_calls
get_token_calls += 1
return expected_token
fake_credential = Mock(get_token=get_token)
policies = [
AsyncBearerTokenCredentialPolicy(fake_credential, "scope"),
Mock(spec=HTTPPolicy, send=verify_authorization_header),
]
pipeline = AsyncPipeline(transport=Mock(spec=AsyncHttpTransport),
policies=policies)
await pipeline.run(HttpRequest("GET", "https://spam.eggs"), context=None)
assert get_token_calls == 1
def _build_pipeline(self, **kwargs): # pylint: disable=no-self-use
transport = kwargs.get('transport')
policies = kwargs.get('policies')
credential_policy = \
AsyncServiceBusSharedKeyCredentialPolicy(self._endpoint, self._credential, "Authorization") \
if isinstance(self._credential, ServiceBusSharedKeyCredential) \
else AsyncBearerTokenCredentialPolicy(self._credential, JWT_TOKEN_SCOPE)
if policies is None: # [] is a valid policy list
policies = [
RequestIdPolicy(**kwargs),
self._config.headers_policy,
self._config.user_agent_policy,
self._config.proxy_policy,
ContentDecodePolicy(**kwargs),
ServiceBusXMLWorkaroundPolicy(),
self._config.redirect_policy,
self._config.retry_policy,
credential_policy,
self._config.logging_policy,
DistributedTracingPolicy(**kwargs),
HttpLoggingPolicy(**kwargs),
]
if not transport:
transport = AioHttpTransport(**kwargs)
return AsyncPipeline(transport, policies)
def get_authentication_policy(
endpoint, # type: str
credential, # type: TokenCredential or str
decode_url=False, # type: bool
is_async=False, # type: bool
):
# type: (...) -> BearerTokenCredentialPolicy or HMACCredentialPolicy
"""Returns the correct authentication policy based
on which credential is being passed.
:param endpoint: The endpoint to which we are authenticating to.
:type endpoint: str
:param credential: The credential we use to authenticate to the service
:type credential: TokenCredential or str
:param isAsync: For async clients there is a need to decode the url
:type bool: isAsync or str
:rtype: ~azure.core.pipeline.policies.BearerTokenCredentialPolicy
~HMACCredentialsPolicy
"""
if credential is None:
raise ValueError("Parameter 'credential' must not be None.")
if hasattr(credential, "get_token"):
if is_async:
from azure.core.pipeline.policies import AsyncBearerTokenCredentialPolicy
return AsyncBearerTokenCredentialPolicy(
credential, "https://communication.azure.com//.default")
from azure.core.pipeline.policies import BearerTokenCredentialPolicy
return BearerTokenCredentialPolicy(
credential, "https://communication.azure.com//.default")
if isinstance(credential, str):
from .._shared.policy import HMACCredentialsPolicy
return HMACCredentialsPolicy(endpoint, credential, decode_url=decode_url)
raise TypeError("Unsupported credential: {}. Use an access token string to use HMACCredentialsPolicy"
"or a token credential from azure.identity".format(type(credential)))
def _create_pipeline(self, credential, **kwargs):
credential_policy = None
if credential is None:
raise ValueError("Parameter 'credential' must not be None.")
if hasattr(credential, "get_token"):
credential_policy = AsyncBearerTokenCredentialPolicy(
credential, "https://cognitiveservices.azure.com/.default")
elif isinstance(credential, six.string_types):
credential_policy = CognitiveServicesCredentialPolicy(credential)
elif credential is not None:
raise TypeError("Unsupported credential: {}".format(credential))
config = self._create_configuration(**kwargs)
config.transport = kwargs.get("transport") # type: ignore
if not config.transport:
try:
from azure.core.pipeline.transport import AioHttpTransport
except ImportError:
raise ImportError(
"Unable to create async transport. Please check aiohttp is installed."
)
config.transport = AioHttpTransport(**kwargs)
policies = [
config.headers_policy, config.user_agent_policy,
RequestIdPolicy(**kwargs), config.proxy_policy,
AsyncRedirectPolicy(**kwargs),
AsyncRetryPolicy(**kwargs), credential_policy,
config.logging_policy,
AsyncTextAnalyticsResponseHook(**kwargs),
DistributedTracingPolicy(**kwargs),
HttpLoggingPolicy(**kwargs)
]
return AsyncPipeline(config.transport, policies=policies)
def _configure_credential(self, credential):
# type: (Any) -> None
self._credential_policy = None
if hasattr(credential, "get_token"):
self._credential_policy = AsyncBearerTokenCredentialPolicy(
credential, STORAGE_OAUTH_SCOPE)
elif isinstance(credential, SharedKeyCredentialPolicy):
self._credential_policy = credential
elif credential is not None:
raise TypeError("Unsupported credential: {}".format(credential))
def create_config(credential: "TokenCredential",
api_version: str = None,
**kwargs: Mapping[str, Any]) -> Configuration:
if api_version is None:
api_version = KeyVaultClient.DEFAULT_API_VERSION
config = KeyVaultClient.get_configuration_class(api_version,
aio=True)(credential,
**kwargs)
config.authentication_policy = AsyncBearerTokenCredentialPolicy(
credential, KEY_VAULT_SCOPE)
return config
def __init__(self, endpoint: str, account_id: str, account_domain: str,
credential: Union["AsyncTokenCredential", AzureKeyCredential,
AccessToken], **kwargs) -> None:
self._api_version = kwargs.pop("api_version",
RemoteRenderingApiVersion.V2021_01_01)
validate_api_version(self._api_version)
self._account_id = account_id
if not endpoint:
raise ValueError("endpoint cannot be None")
if not account_id:
raise ValueError("account_id cannot be None")
if not account_domain:
raise ValueError("account_domain cannot be None")
if not credential:
raise ValueError("credential cannot be None")
endpoint_url = kwargs.pop(
'authentication_endpoint_url',
construct_endpoint_url(account_domain)) # type: str
if isinstance(credential, AccessToken):
cred = StaticAccessTokenCredential(
credential) # type: AsyncTokenCredential
elif isinstance(credential, AzureKeyCredential):
cred = MixedRealityAccountKeyCredential(account_id=account_id,
account_key=credential)
else:
cred = credential
# otherwise assume it is a TokenCredential and simply pass it through
pipeline_credential = get_mixedreality_credential(
account_id=account_id,
account_domain=account_domain,
credential=cred,
endpoint_url=endpoint_url)
self.polling_interval = kwargs.pop("polling_interval", 5)
authentication_policy = AsyncBearerTokenCredentialPolicy(
pipeline_credential, endpoint_url + '/.default')
self._account_id = account_id
self._client = RemoteRenderingRestClient(
endpoint=endpoint,
authentication_policy=authentication_policy,
sdk_moniker=SDK_MONIKER,
api_version=self._api_version,
**kwargs)
def get_metrics_authentication_policy(
credential: 'TokenCredential') -> AsyncBearerTokenCredentialPolicy:
"""Returns the correct authentication policy
"""
if credential is None:
raise ValueError("Parameter 'credential' must not be None.")
if hasattr(credential, "get_token"):
return AsyncBearerTokenCredentialPolicy(
credential, "https://management.azure.com/.default")
raise TypeError("Unsupported credential")
def get_metrics_authentication_policy(
credential: "AsyncTokenCredential",
audience: str = None) -> AsyncBearerTokenCredentialPolicy:
"""Returns the correct authentication policy"""
if not audience:
audience = "https://management.azure.com/"
scope = audience.rstrip('/') + "/.default"
if credential is None:
raise ValueError("Parameter 'credential' must not be None.")
if hasattr(credential, "get_token"):
return AsyncBearerTokenCredentialPolicy(credential, scope)
raise TypeError("Unsupported credential")
async def test_bearer_policy_send():
"""The bearer token policy should invoke the next policy's send method and return the result"""
expected_request = HttpRequest("GET", "https://spam.eggs")
expected_response = Mock()
async def verify_request(request):
assert request.http_request is expected_request
return expected_response
fake_credential = Mock(get_token=asyncio.coroutine(lambda _: AccessToken("", 0)))
policies = [AsyncBearerTokenCredentialPolicy(fake_credential, "scope"), Mock(send=verify_request)]
response = await AsyncPipeline(transport=Mock(), policies=policies).run(expected_request)
assert response is expected_response
def __init__(self, credential, **kwargs): # pylint:disable=super-init-not-called
self._set_universal(**kwargs)
# async-specific azure pipeline policies
if isinstance(credential, str):
self.headers_policy.add_header("Ocp-Apim-Subscription-Key",
credential)
else:
scopes = kwargs.pop("scopes", [])
self.authentication_policy = AsyncBearerTokenCredentialPolicy(
credential, *scopes, **kwargs)
self.retry_policy = kwargs.get("retry_policy",
AsyncRetryPolicy(**kwargs))
self.redirect_policy = kwargs.get("redirect_policy",
AsyncRedirectPolicy(**kwargs))
self.transport = kwargs.get("transport", AioHttpTransport())
def __init__(
self,
account_id: str,
account_domain: str,
credential: Union[AzureKeyCredential, "AsyncTokenCredential"], #pylint: disable=unsubscriptable-object
**kwargs) -> None:
if not account_id:
raise ValueError("account_id must be a non-empty string.")
if not account_domain:
raise ValueError("account_domain must be a non-empty string.")
if not credential:
raise ValueError("credential can not be None.")
self._account_id = account_id
self._account_domain = account_domain
if isinstance(credential, AzureKeyCredential):
credential = MixedRealityAccountKeyCredential(
account_id, credential)
self._credential = credential
endpoint_url = kwargs.pop('custom_endpoint_url',
construct_endpoint_url(account_domain))
try:
if not endpoint_url.lower().startswith('http'):
endpoint_url = "https://" + endpoint_url
except AttributeError as ex:
raise ValueError("Host URL must be a string.") from ex
parsed_url = urlparse(endpoint_url.rstrip('/'))
if not parsed_url.netloc:
raise ValueError("Invalid URL: {}".format(endpoint_url))
self._endpoint_url = endpoint_url
authentication_policy = AsyncBearerTokenCredentialPolicy(
credential, [endpoint_url + '/.default'])
self._client = MixedRealityStsRestClient(
base_url=endpoint_url,
authentication_policy=authentication_policy,
sdk_moniker=SDK_MONIKER,
**kwargs)
def _create_pipeline(self, credential, **kwargs):
# type: (Any, **Any) -> Tuple[Configuration, Pipeline]
self._credential_policy = None
if hasattr(credential, 'get_token'):
self._credential_policy = AsyncBearerTokenCredentialPolicy(
credential, STORAGE_OAUTH_SCOPE)
elif isinstance(credential, SharedKeyCredentialPolicy):
self._credential_policy = credential
elif isinstance(credential, AzureSasCredential):
self._credential_policy = AzureSasCredentialPolicy(credential)
elif credential is not None:
raise TypeError("Unsupported credential: {}".format(credential))
config = kwargs.get('_configuration') or create_configuration(**kwargs)
if kwargs.get('_pipeline'):
return config, kwargs['_pipeline']
config.transport = kwargs.get('transport') # type: ignore
kwargs.setdefault("connection_timeout", CONNECTION_TIMEOUT)
kwargs.setdefault("read_timeout", READ_TIMEOUT)
if not config.transport:
try:
from azure.core.pipeline.transport import AioHttpTransport
except ImportError:
raise ImportError(
"Unable to create async transport. Please check aiohttp is installed."
)
config.transport = AioHttpTransport(**kwargs)
policies = [
QueueMessagePolicy(),
config.headers_policy,
config.proxy_policy,
config.user_agent_policy,
StorageContentValidation(),
StorageRequestHook(**kwargs),
self._credential_policy,
ContentDecodePolicy(response_encoding="utf-8"),
AsyncRedirectPolicy(**kwargs),
StorageHosts(hosts=self._hosts, **kwargs), # type: ignore
config.retry_policy,
config.logging_policy,
AsyncStorageResponseHook(**kwargs),
DistributedTracingPolicy(**kwargs),
HttpLoggingPolicy(**kwargs),
]
if kwargs.get("_additional_pipeline_policies"):
policies = policies + kwargs.get("_additional_pipeline_policies")
return config, AsyncPipeline(config.transport, policies=policies)
async def test_preserves_enforce_https_opt_out():
"""The policy should use request context to preserve an opt out from https enforcement"""
class ContextValidator(SansIOHTTPPolicy):
def on_request(self, request):
assert "enforce_https" in request.context, "'enforce_https' is not in the request's context"
get_token = get_completed_future(AccessToken("***", 42))
credential = Mock(get_token=lambda *_, **__: get_token)
policies = [
AsyncBearerTokenCredentialPolicy(credential, "scope"),
ContextValidator()
]
pipeline = AsyncPipeline(
transport=Mock(send=lambda *_, **__: get_completed_future()),
policies=policies)
await pipeline.run(HttpRequest("GET", "http://not.secure"),
enforce_https=False)
async def test_context_unmodified_by_default():
"""When no options for the policy accompany a request, the policy shouldn't add anything to the request context"""
class ContextValidator(SansIOHTTPPolicy):
def on_request(self, request):
assert not any(
request.context
), "the policy shouldn't add to the request's context"
get_token = get_completed_future(AccessToken("***", 42))
credential = Mock(get_token=lambda *_, **__: get_token)
policies = [
AsyncBearerTokenCredentialPolicy(credential, "scope"),
ContextValidator()
]
pipeline = AsyncPipeline(
transport=Mock(send=lambda *_, **__: get_completed_future()),
policies=policies)
await pipeline.run(HttpRequest("GET", "https://secure"))
def _create_pipeline(self,
credential,
endpoint=None,
aad_mode=False,
**kwargs):
transport = kwargs.get('transport')
policies = kwargs.get('policies')
if policies is None: # [] is a valid policy list
if aad_mode:
scope = endpoint.strip("/") + "/.default"
if hasattr(credential, "get_token"):
credential_policy = AsyncBearerTokenCredentialPolicy(
credential, scope)
else:
raise TypeError(
"Please provide an instance from azure-identity "
"or a class that implement the 'get_token protocol")
else:
credential_policy = MetricsAdvisorKeyCredentialPolicy(
credential)
policies = [
RequestIdPolicy(**kwargs),
self._config.headers_policy,
self._config.user_agent_policy,
self._config.proxy_policy,
ContentDecodePolicy(**kwargs),
self._config.redirect_policy,
self._config.retry_policy,
credential_policy,
self._config.logging_policy, # HTTP request/response log
DistributedTracingPolicy(**kwargs),
self._config.http_logging_policy or HttpLoggingPolicy(**kwargs)
]
if not transport:
transport = AioHttpTransport(**kwargs)
return AsyncPipeline(transport, policies)
async def test_bearer_policy_send():
"""The bearer token policy should invoke the next policy's send method and return the result"""
expected_request = HttpRequest("GET", "https://spam.eggs")
expected_response = Mock(spec=PipelineResponse)
async def verify_request(request):
assert request.http_request is expected_request
return expected_response
async def get_token(_):
return ""
fake_credential = Mock(get_token=get_token)
policies = [
AsyncBearerTokenCredentialPolicy(fake_credential, "scope"),
Mock(spec=HTTPPolicy, send=verify_request),
]
pipeline = AsyncPipeline(transport=Mock(spec=AsyncHttpTransport),
policies=policies)
response = await pipeline.run(expected_request)
assert response is expected_response
def __init__(self, arguments):
super().__init__(arguments)
token = AccessToken("**", int(time.time() + 3600))
self.request = HttpRequest("GET", "https://localhost")
credential = Mock(get_token=Mock(return_value=token))
self.pipeline = Pipeline(
transport=Mock(),
policies=[BearerTokenCredentialPolicy(credential=credential)])
completed_future = asyncio.Future()
completed_future.set_result(token)
async_credential = Mock(get_token=Mock(return_value=completed_future))
# returning a token is okay because the policy does nothing with the transport's response
async_transport = Mock(send=Mock(return_value=completed_future))
self.async_pipeline = AsyncPipeline(
async_transport,
policies=[
AsyncBearerTokenCredentialPolicy(credential=async_credential)
])
def _create_pipeline(self, credential, **kwargs):
# type: (Any, **Any) -> Tuple[Configuration, Pipeline]
credential_policy = None
if hasattr(credential, 'get_token'):
credential_policy = AsyncBearerTokenCredentialPolicy(credential, STORAGE_OAUTH_SCOPE)
elif isinstance(credential, SharedKeyCredentialPolicy):
credential_policy = credential
elif credential is not None:
raise TypeError("Unsupported credential: {}".format(credential))
config = kwargs.get('_configuration') or create_configuration(**kwargs)
if kwargs.get('_pipeline'):
return config, kwargs['_pipeline']
config.transport = kwargs.get('transport') # type: ignore
if 'connection_timeout' not in kwargs:
kwargs['connection_timeout'] = DEFAULT_SOCKET_TIMEOUT[0] # type: ignore
if not config.transport:
try:
from azure.core.pipeline.transport import AioHttpTransport
except ImportError:
raise ImportError("Unable to create async transport. Please check aiohttp is installed.")
config.transport = AioHttpTransport(**kwargs)
policies = [
QueueMessagePolicy(),
config.headers_policy,
config.user_agent_policy,
StorageContentValidation(),
StorageRequestHook(**kwargs),
credential_policy,
ContentDecodePolicy(),
AsyncRedirectPolicy(**kwargs),
StorageHosts(hosts=self._hosts, **kwargs), # type: ignore
config.retry_policy,
config.logging_policy,
AsyncStorageResponseHook(**kwargs),
DistributedTracingPolicy(),
]
return config, AsyncPipeline(config.transport, policies=policies)
def __init__(self, endpoint, credential, **kwargs):
# type: (str, MetricsAdvisorKeyCredential, Any) -> None
try:
if not endpoint.lower().startswith('http'):
endpoint = "https://" + endpoint
except AttributeError:
raise ValueError("Base URL must be a string.")
if not credential:
raise ValueError("Missing credential")
self._endpoint = endpoint
if isinstance(credential, MetricsAdvisorKeyCredential):
self._client = AzureCognitiveServiceMetricsAdvisorRESTAPIOpenAPIV2(
endpoint=endpoint,
sdk_moniker=SDK_MONIKER,
authentication_policy=MetricsAdvisorKeyCredentialPolicy(
credential),
**kwargs)
else:
if hasattr(credential, "get_token"):
credential_scopes = kwargs.pop(
'credential_scopes',
['https://cognitiveservices.azure.com/.default'])
credential_policy = AsyncBearerTokenCredentialPolicy(
credential, *credential_scopes)
else:
raise TypeError(
"Please provide an instance from azure-identity "
"or a class that implement the 'get_token protocol")
self._client = AzureCognitiveServiceMetricsAdvisorRESTAPIOpenAPIV2(
endpoint=endpoint,
sdk_moniker=SDK_MONIKER,
authentication_policy=credential_policy,
**kwargs)
def __init__(self, arguments):
super().__init__(arguments)
token = AccessToken("**", int(time.time() + 3600))
self.request = HttpRequest("GET", "https://localhost")
credential = Mock(get_token=Mock(return_value=token))
self.pipeline = Pipeline(
transport=Mock(),
policies=[BearerTokenCredentialPolicy(credential=credential)])
get_token_future = asyncio.Future()
get_token_future.set_result(token)
async_credential = Mock(get_token=Mock(return_value=get_token_future))
send_future = asyncio.Future()
send_future.set_result(Mock())
async_transport = Mock(send=Mock(return_value=send_future))
self.async_pipeline = AsyncPipeline(
async_transport,
policies=[
AsyncBearerTokenCredentialPolicy(credential=async_credential)
])
async def test_bearer_policy_enforces_tls():
credential = Mock()
pipeline = AsyncPipeline(transport=Mock(), policies=[AsyncBearerTokenCredentialPolicy(credential, "scope")])
with pytest.raises(ServiceRequestError):
await pipeline.run(HttpRequest("GET", "http://not.secure"))
def __init__(
self,
*,
endpoint: str,
credential: Union[ConfidentialLedgerCertificateCredential, "TokenCredential"],
ledger_certificate_path: str,
**kwargs: Any
) -> None:
client = kwargs.get("generated_client")
if client:
# caller provided a configured client -> nothing left to initialize
self._client = client
return
if not endpoint:
raise ValueError("Expected endpoint to be a non-empty string")
if not credential:
raise ValueError("Expected credential to not be None")
if not isinstance(ledger_certificate_path, str):
raise TypeError("ledger_certificate_path must be a string")
if ledger_certificate_path == "":
raise ValueError(
"If not None, ledger_certificate_path must be a non-empty string"
)
endpoint = endpoint.strip(" /")
try:
if not endpoint.startswith("https://"):
self._endpoint = "https://" + endpoint
else:
self._endpoint = endpoint
except AttributeError:
raise ValueError("Confidential Ledger URL must be a string.")
self.api_version = kwargs.pop("api_version", DEFAULT_VERSION)
if not kwargs.get("transport", None):
# Customize the transport layer to use client certificate authentication and validate
# a self-signed TLS certificate.
if isinstance(credential, ConfidentialLedgerCertificateCredential):
# The async version of the client seems to expect a sequence of filenames.
# azure/core/pipeline/transport/_aiohttp.py:163
# > ssl_ctx.load_cert_chain(*cert)
kwargs["connection_cert"] = (credential.certificate_path,)
kwargs["connection_verify"] = ledger_certificate_path
http_logging_policy = HttpLoggingPolicy(**kwargs)
http_logging_policy.allowed_header_names.update(
{
"x-ms-keyvault-network-info",
"x-ms-keyvault-region",
"x-ms-keyvault-service-version",
}
)
if not isinstance(credential, ConfidentialLedgerCertificateCredential):
kwargs["authentication_policy"] = kwargs.pop(
"authentication_policy",
AsyncBearerTokenCredentialPolicy(
credential,
"https://confidential-ledger.azure.com/.default",
**kwargs
),
)
try:
self._client = _ConfidentialLedgerClient(
self._endpoint,
api_version=self.api_version,
http_logging_policy=http_logging_policy,
sdk_moniker=USER_AGENT,
**kwargs
)
except NotImplementedError:
raise NotImplementedError(
"This package doesn't support API version '{}'. ".format(
self.api_version
)
+ "Supported versions: 0.1-preview"
)
