def test_persistent_cache_linux(mock_extensions):
"""The credential should use an unencrypted cache when encryption is unavailable and the user explicitly opts in.
This test was written when Linux was the only platform on which encryption may not be available.
"""
required_arguments = ("tenant-id", "client-id", "secret")
# the credential should prefer an encrypted cache even when the user allows an unencrypted one
ClientSecretCredential(*required_arguments,
_enable_persistent_cache=True,
_allow_unencrypted_cache=True)
assert mock_extensions.PersistedTokenCache.called_with(
mock_extensions.LibsecretPersistence)
mock_extensions.PersistedTokenCache.reset_mock()
# (when LibsecretPersistence's dependencies aren't available, constructing it raises ImportError)
mock_extensions.LibsecretPersistence = Mock(side_effect=ImportError)
# encryption unavailable, no opt in to unencrypted cache -> credential should raise
with pytest.raises(ValueError):
ClientSecretCredential(*required_arguments,
_enable_persistent_cache=True)
ClientSecretCredential(*required_arguments,
_enable_persistent_cache=True,
_allow_unencrypted_cache=True)
assert mock_extensions.PersistedTokenCache.called_with(
mock_extensions.FilePersistence)
async def test_request_url():
authority = "localhost"
tenant_id = "expected_tenant"
access_token = "***"
async def mock_send(request, **kwargs):
parsed = urlparse(request.url)
assert parsed.scheme == "https"
assert parsed.netloc == authority
assert parsed.path.startswith("/" + tenant_id)
return mock_response(json_payload={
"token_type": "Bearer",
"expires_in": 42,
"access_token": access_token
})
credential = ClientSecretCredential(tenant_id,
"client-id",
"secret",
transport=Mock(send=mock_send),
authority=authority)
token = await credential.get_token("scope")
assert token.token == access_token
# authority can be configured via environment variable
with patch.dict("os.environ",
{EnvironmentVariables.AZURE_AUTHORITY_HOST: authority},
clear=True):
credential = ClientSecretCredential(tenant_id,
"client-id",
"secret",
transport=Mock(send=mock_send))
await credential.get_token("scope")
assert token.token == access_token
def test_enable_persistent_cache():
"""the credential should use the persistent cache only when given enable_persistent_cache=True"""
required_arguments = ("tenant-id", "client-id", "secret")
persistent_cache = "azure.identity._internal.persistent_cache"
# credential should default to an in memory cache
raise_when_called = Mock(side_effect=Exception(
"credential shouldn't attempt to load a persistent cache"))
with patch(persistent_cache + "._load_persistent_cache",
raise_when_called):
ClientSecretCredential(*required_arguments)
# allowing an unencrypted cache doesn't count as opting in to the persistent cache
ClientSecretCredential(*required_arguments,
_allow_unencrypted_cache=True)
# keyword argument opts in to persistent cache
with patch(persistent_cache + ".msal_extensions") as mock_extensions:
ClientSecretCredential(*required_arguments,
_enable_persistent_cache=True)
assert mock_extensions.PersistedTokenCache.call_count == 1
# opting in on an unsupported platform raises an exception
with patch(persistent_cache + ".sys.platform", "commodore64"):
with pytest.raises(NotImplementedError):
ClientSecretCredential(*required_arguments,
_enable_persistent_cache=True)
with pytest.raises(NotImplementedError):
ClientSecretCredential(*required_arguments,
_enable_persistent_cache=True,
_allow_unencrypted_cache=True)
async def test_request_url(authority):
"""the credential should accept an authority, with or without scheme, as an argument or environment variable"""
tenant_id = "expected-tenant"
access_token = "***"
parsed_authority = urlparse(authority)
expected_netloc = parsed_authority.netloc or authority # "localhost" parses to netloc "", path "localhost"
async def mock_send(request, **kwargs):
actual = urlparse(request.url)
assert actual.scheme == "https"
assert actual.netloc == expected_netloc
assert actual.path.startswith("/" + tenant_id)
return mock_response(json_payload={"token_type": "Bearer", "expires_in": 42, "access_token": access_token})
credential = ClientSecretCredential(
tenant_id, "client-id", "secret", transport=Mock(send=mock_send), authority=authority
)
token = await credential.get_token("scope")
assert token.token == access_token
# authority can be configured via environment variable
with patch.dict("os.environ", {EnvironmentVariables.AZURE_AUTHORITY_HOST: authority}, clear=True):
credential = ClientSecretCredential(tenant_id, "client-id", "secret", transport=Mock(send=mock_send))
await credential.get_token("scope")
assert token.token == access_token
def test_tenant_id_validation():
"""The credential should raise ValueError when given an invalid tenant_id"""
valid_ids = {"c878a2ab-8ef4-413b-83a0-199afb84d7fb", "contoso.onmicrosoft.com", "organizations", "common"}
for tenant in valid_ids:
ClientSecretCredential(tenant, "client-id", "secret")
invalid_ids = {"", "my tenant", "my_tenant", "/", "\\", '"my-tenant"', "'my-tenant'"}
for tenant in invalid_ids:
with pytest.raises(ValueError):
ClientSecretCredential(tenant, "client-id", "secret")
async def test_cache_multiple_clients():
"""the credential shouldn't use tokens issued to other service principals"""
access_token_a = "token a"
access_token_b = "not " + access_token_a
transport_a = async_validating_transport(
requests=[Request()],
responses=[
mock_response(json_payload=build_aad_response(
access_token=access_token_a))
])
transport_b = async_validating_transport(
requests=[Request()],
responses=[
mock_response(json_payload=build_aad_response(
access_token=access_token_b))
])
cache = TokenCache()
with patch(ClientSecretCredential.__module__ +
"._load_persistent_cache") as mock_cache_loader:
mock_cache_loader.return_value = Mock(wraps=cache)
credential_a = ClientSecretCredential(
"tenant",
"client-a",
"secret",
transport=transport_a,
cache_persistence_options=TokenCachePersistenceOptions(),
)
assert mock_cache_loader.call_count == 1, "credential should load the persistent cache"
credential_b = ClientSecretCredential(
"tenant",
"client-b",
"secret",
transport=transport_b,
cache_persistence_options=TokenCachePersistenceOptions(),
)
assert mock_cache_loader.call_count == 2, "credential should load the persistent cache"
# A caches a token
scope = "scope"
token_a = await credential_a.get_token(scope)
assert token_a.token == access_token_a
assert transport_a.send.call_count == 1
# B should get a different token for the same scope
token_b = await credential_b.get_token(scope)
assert token_b.token == access_token_b
assert transport_b.send.call_count == 1
assert len(cache.find(TokenCache.CredentialType.ACCESS_TOKEN)) == 2
def test_token_cache():
"""the credential should default to an in memory cache, and optionally use a persistent cache"""
with patch("azure.identity._persistent_cache.msal_extensions") as mock_msal_extensions:
with patch(ClientSecretCredential.__module__ + ".msal") as mock_msal:
ClientSecretCredential("tenant", "client-id", "secret")
assert mock_msal.TokenCache.call_count == 1
assert not mock_msal_extensions.PersistedTokenCache.called
ClientSecretCredential(
"tenant", "client-id", "secret", cache_persistence_options=TokenCachePersistenceOptions()
)
assert mock_msal_extensions.PersistedTokenCache.call_count == 1
async def test_cache():
expired = "this token's expired"
now = int(time.time())
expired_on = now - 3600
expired_token = AccessToken(expired, expired_on)
token_payload = {
"access_token": expired,
"expires_in": 0,
"ext_expires_in": 0,
"expires_on": expired_on,
"not_before": now,
"token_type": "Bearer",
}
mock_send = Mock(return_value=mock_response(json_payload=token_payload))
transport = Mock(send=wrap_in_future(mock_send))
scope = "scope"
credential = ClientSecretCredential("tenant-id", "client-id", "secret", transport=transport)
# get_token initially returns the expired token because the credential
# doesn't check whether tokens it receives from the service have expired
token = await credential.get_token(scope)
assert token == expired_token
access_token = "new token"
token_payload["access_token"] = access_token
token_payload["expires_on"] = now + 3600
valid_token = AccessToken(access_token, now + 3600)
# second call should observe the cached token has expired, and request another
token = await credential.get_token(scope)
assert token == valid_token
assert mock_send.call_count == 2
async def test_multitenant_authentication():
first_tenant = "first-tenant"
first_token = "***"
second_tenant = "second-tenant"
second_token = first_token * 2
async def send(request, **kwargs):
assert "tenant_id" not in kwargs, "tenant_id kwarg shouldn't get passed to send method"
parsed = urlparse(request.url)
tenant = parsed.path.split("/")[1]
assert tenant in (first_tenant, second_tenant), 'unexpected tenant "{}"'.format(tenant)
token = first_token if tenant == first_tenant else second_token
return mock_response(json_payload=build_aad_response(access_token=token))
credential = ClientSecretCredential(
first_tenant, "client-id", "secret", transport=Mock(send=send)
)
token = await credential.get_token("scope")
assert token.token == first_token
token = await credential.get_token("scope", tenant_id=first_tenant)
assert token.token == first_token
token = await credential.get_token("scope", tenant_id=second_tenant)
assert token.token == second_token
# should still default to the first tenant
token = await credential.get_token("scope")
assert token.token == first_token
async def test_client_secret_credential_cache():
expired = "this token's expired"
now = time.time()
expired_on = int(now - 300)
expired_token = AccessToken(expired, expired_on)
token_payload = {
"access_token": expired,
"expires_in": 0,
"ext_expires_in": 0,
"expires_on": expired_on,
"not_before": now,
"token_type": "Bearer",
"resource": str(uuid.uuid1()),
}
mock_response = Mock(
text=lambda: json.dumps(token_payload),
headers={"content-type": "application/json"},
status_code=200,
content_type=["application/json"],
)
mock_send = Mock(return_value=mock_response)
credential = ClientSecretCredential(
"client_id",
"secret",
tenant_id=str(uuid.uuid1()),
transport=Mock(send=asyncio.coroutine(mock_send)))
scopes = ("https://foo.bar/.default", "https://bar.qux/.default")
token = await credential.get_token(*scopes)
assert token == expired_token
token = await credential.get_token(*scopes)
assert token == expired_token
assert mock_send.call_count == 2
async def test_client_secret_credential_async(aad_credential, live_eventhub):
try:
from azure.identity.aio import ClientSecretCredential
except ImportError:
pytest.skip("No azure identity library")
client_id, secret, tenant_id = aad_credential
credential = ClientSecretCredential(client_id=client_id,
client_secret=secret,
tenant_id=tenant_id)
client = EventHubClient(host=live_eventhub['hostname'],
event_hub_path=live_eventhub['event_hub'],
credential=credential,
user_agent='customized information')
sender = client.create_producer(partition_id='0')
receiver = client.create_consumer(consumer_group="$default",
partition_id='0',
event_position=EventPosition("@latest"))
async with receiver:
received = await receiver.receive(timeout=3)
assert len(received) == 0
async with sender:
event = EventData(body='A single message')
await sender.send(event)
await asyncio.sleep(1)
received = await receiver.receive(timeout=3)
assert len(received) == 1
assert list(received[0].body)[0] == 'A single message'.encode('utf-8')
async def create_attestation_client_shared(self):
"""
Instantiate an attestation client using client secrets to access the shared attestation provider.
"""
write_banner("create_attestation_client_shared")
# [START sharedclient_create]
tenant_id = os.getenv("ATTESTATION_TENANT_ID")
client_id = os.getenv("ATTESTATION_CLIENT_ID")
secret = os.getenv("ATTESTATION_CLIENT_SECRET")
if not tenant_id or not client_id or not secret:
raise Exception("Must provide client credentials.")
# Create azure-identity class
from azure.identity.aio import ClientSecretCredential
from azure.security.attestation.aio import AttestationClient
shared_short_name = os.getenv("ATTESTATION_LOCATION_SHORT_NAME")
shared_url = 'https://shared' + shared_short_name + \
'.' + shared_short_name + '.attest.azure.net'
async with ClientSecretCredential(
tenant_id=tenant_id, client_id=client_id,
client_secret=secret) as credentials, AttestationClient(
credentials, instance_url=self.aad_url) as client:
print("Retrieve OpenID metadata from: ", shared_url)
openid_metadata = await client.get_openidmetadata()
print(" Certificate URI: ", openid_metadata["jwks_uri"])
print(" Issuer: ", openid_metadata["issuer"])
def from_credentials_data(credentials: dict,
scopes: Optional[List[str]] = None):
credential = ClientSecretCredential(
tenant_id=credentials['tenant'],
client_id=credentials['appId'],
client_secret=credentials['password'])
return AzureCredentials(credential, scopes)
async def create_attestation_client_aad(self):
"""
Instantiate an attestation client using client secrets.
"""
write_banner("create_attestation_client_aad")
# [START client_create]
tenant_id = os.getenv("ATTESTATION_TENANT_ID")
client_id = os.getenv("ATTESTATION_CLIENT_ID")
secret = os.getenv("ATTESTATION_CLIENT_SECRET")
if not tenant_id or not client_id or not secret:
raise Exception("Must provide client credentials.")
# Create azure-identity class
from azure.identity.aio import ClientSecretCredential
from azure.security.attestation.aio import AttestationClient
async with ClientSecretCredential(
tenant_id=tenant_id, client_id=client_id,
client_secret=secret) as credentials, AttestationClient(
credentials, instance_url=self.aad_url) as client:
print("Retrieve OpenID metadata from: ", self.aad_url)
openid_metadata = await client.get_openidmetadata()
print(" Certificate URI: ", openid_metadata["jwks_uri"])
print(" Issuer: ", openid_metadata["issuer"])
await client.close()
def from_file(credentials_file: str, scopes: Optional[List[str]] = None):
with open(credentials_file, 'r') as f:
data = json.loads(f.read())
credential = ClientSecretCredential(tenant_id=data['tenant'],
client_id=data['appId'],
client_secret=data['password'])
return AzureCredentials(credential, scopes)
async def test_multitenant_authentication(self, client, is_hsm, **kwargs):
if not self.is_live:
pytest.skip("This test is incompatible with vcrpy in playback")
client_id = os.environ.get("KEYVAULT_CLIENT_ID")
client_secret = os.environ.get("KEYVAULT_CLIENT_SECRET")
if not (client_id and client_secret):
pytest.skip(
"Values for KEYVAULT_CLIENT_ID and KEYVAULT_CLIENT_SECRET are required"
)
# we set up a client for this method so it gets awaited, but we actually want to create a new client
# this new client should use a credential with an initially fake tenant ID and still succeed with a real request
credential = ClientSecretCredential(tenant_id=str(uuid4()),
client_id=client_id,
client_secret=client_secret)
vault_url = self.managed_hsm_url if is_hsm else self.vault_url
client = KeyClient(vault_url=vault_url, credential=credential)
if self.is_live:
await asyncio.sleep(2) # to avoid throttling by the service
key_name = self.get_resource_name("multitenant-key")
key = await client.create_rsa_key(key_name)
assert key.id
# try making another request with the credential's token revoked
# the challenge policy should correctly request a new token for the correct tenant when a challenge is cached
client._client._config.authentication_policy._token = None
fetched_key = await client.get_key(key_name)
assert key.id == fetched_key.id
def _credential():
credential = ClientSecretCredential(
client_id = os.environ['AZURE_CLIENT_ID'],
client_secret = os.environ['AZURE_CLIENT_SECRET'],
tenant_id = os.environ['AZURE_TENANT_ID']
)
return credential
async def test_allow_multitenant_authentication():
"""When allow_multitenant_authentication is True, the credential should respect get_token(tenant_id=...)"""
first_tenant = "first-tenant"
first_token = "***"
second_tenant = "second-tenant"
second_token = first_token * 2
async def send(request, **_):
parsed = urlparse(request.url)
tenant = parsed.path.split("/")[1]
assert tenant in (
first_tenant,
second_tenant), 'unexpected tenant "{}"'.format(tenant)
token = first_token if tenant == first_tenant else second_token
return mock_response(json_payload=build_aad_response(
access_token=token))
credential = ClientSecretCredential(first_tenant,
"client-id",
"secret",
allow_multitenant_authentication=True,
transport=Mock(send=send))
token = await credential.get_token("scope")
assert token.token == first_token
token = await credential.get_token("scope", tenant_id=first_tenant)
assert token.token == first_token
token = await credential.get_token("scope", tenant_id=second_tenant)
assert token.token == second_token
# should still default to the first tenant
token = await credential.get_token("scope")
assert token.token == first_token
async def test_client_secret_credential(live_service_principal):
credential = ClientSecretCredential(
live_service_principal["tenant_id"],
live_service_principal["client_id"],
live_service_principal["client_secret"],
)
await get_token(credential)
async def test_close():
transport = AsyncMockTransport()
credential = ClientSecretCredential("tenant-id", "client-id", "client-secret", transport=transport)
await credential.close()
assert transport.__aexit__.call_count == 1
async def test_no_scopes():
"""The credential should raise ValueError when get_token is called with no scopes"""
credential = ClientSecretCredential("tenant-id", "client-id",
"client-secret")
with pytest.raises(ValueError):
await credential.get_token()
async def test_persistent_cache_multiple_clients():
"""the credential shouldn't use tokens issued to other service principals"""
access_token_a = "token a"
access_token_b = "not " + access_token_a
transport_a = async_validating_transport(
requests=[Request()],
responses=[
mock_response(json_payload=build_aad_response(
access_token=access_token_a))
])
transport_b = async_validating_transport(
requests=[Request()],
responses=[
mock_response(json_payload=build_aad_response(
access_token=access_token_b))
])
cache = TokenCache()
with patch(
"azure.identity._internal.persistent_cache._load_persistent_cache"
) as mock_cache_loader:
mock_cache_loader.return_value = Mock(wraps=cache)
credential_a = ClientSecretCredential("tenant-id",
"client-a",
"...",
_enable_persistent_cache=True,
transport=transport_a)
assert mock_cache_loader.call_count == 1, "credential should load the persistent cache"
credential_b = ClientSecretCredential("tenant-id",
"client-b",
"...",
_enable_persistent_cache=True,
transport=transport_b)
assert mock_cache_loader.call_count == 2, "credential should load the persistent cache"
# A caches a token
scope = "scope"
token_a = await credential_a.get_token(scope)
assert token_a.token == access_token_a
assert transport_a.send.call_count == 1
# B should get a different token for the same scope
token_b = await credential_b.get_token(scope)
assert token_b.token == access_token_b
assert transport_b.send.call_count == 1
def generate_oauth_token(self):
if self.is_live:
from azure.identity.aio import ClientSecretCredential
return ClientSecretCredential(
os.getenv("TRANSLATION_TENANT_ID"),
os.getenv("TRANSLATION_CLIENT_ID"),
os.getenv("TRANSLATION_CLIENT_SECRET"),
)
def create_client(args):
if args.storage_conn_str:
checkpoint_store = BlobCheckpointStore.from_connection_string(
args.storage_conn_str, args.storage_container_name)
else:
checkpoint_store = None
transport_type = TransportType.Amqp if args.transport_type == 0 else TransportType.AmqpOverWebsocket
http_proxy = None
if args.proxy_hostname:
http_proxy = {
"proxy_hostname": args.proxy_hostname,
"proxy_port": args.proxy_port,
"username": args.proxy_username,
"password": args.proxy_password,
}
if args.conn_str:
client = EventHubConsumerClientTest.from_connection_string(
args.conn_str,
args.consumer_group,
eventhub_name=args.eventhub,
checkpoint_store=checkpoint_store,
load_balancing_interval=args.load_balancing_interval,
auth_timeout=args.auth_timeout,
http_proxy=http_proxy,
transport_type=transport_type,
logging_enable=args.uamqp_logging_enable)
elif args.hostname:
client = EventHubConsumerClientTest(
fully_qualified_namespace=args.hostname,
eventhub_name=args.eventhub,
consumer_group=args.consumer_group,
credential=EventHubSharedKeyCredential(args.sas_policy,
args.sas_key),
checkpoint_store=checkpoint_store,
load_balancing_interval=args.load_balancing_interval,
auth_timeout=args.auth_timeout,
http_proxy=http_proxy,
transport_type=transport_type,
logging_enable=args.uamqp_logging_enable)
elif args.aad_client_id:
credential = ClientSecretCredential(args.tenant_id, args.aad_client_id,
args.aad_secret)
client = EventHubConsumerClientTest(
fully_qualified_namespace=args.hostname,
eventhub_name=args.eventhub,
consumer_group=args.consumer_group,
credential=credential,
checkpoint_store=checkpoint_store,
load_balancing_interval=args.load_balancing_interval,
auth_timeout=args.auth_timeout,
http_proxy=http_proxy,
transport_type=transport_type,
logging_enable=args.uamqp_logging_enable)
return client
def generate_oauth_token(self):
if self.is_live:
from azure.identity.aio import ClientSecretCredential
return ClientSecretCredential(
self.get_settings_value("AZURE_TENANT_ID"),
self.get_settings_value("AZURE_CLIENT_ID"),
self.get_settings_value("AZURE_CLIENT_SECRET"),
)
return self.generate_fake_token()
async def test_user_agent():
transport = async_validating_transport(
requests=[Request(required_headers={"User-Agent": USER_AGENT})],
responses=[mock_response(json_payload=build_aad_response(access_token="**"))],
)
credential = ClientSecretCredential("tenant-id", "client-id", "client-secret", transport=transport)
await credential.get_token("scope")
async def test_context_manager():
transport = AsyncMockTransport()
credential = ClientSecretCredential("tenant-id", "client-id", "client-secret", transport=transport)
async with credential:
assert transport.__aenter__.call_count == 1
assert transport.__aenter__.call_count == 1
assert transport.__aexit__.call_count == 1
def generate_oauth_token(self):
if self.is_live:
from azure.identity.aio import ClientSecretCredential
return ClientSecretCredential(
os.getenv("FORMRECOGNIZER_TENANT_ID"),
os.getenv("FORMRECOGNIZER_CLIENT_ID"),
os.getenv("FORMRECOGNIZER_CLIENT_SECRET"),
)
return self.generate_fake_token()
async def test_client_secret_credential(live_identity_settings):
credential = ClientSecretCredential(
live_identity_settings["client_id"],
live_identity_settings["client_secret"],
live_identity_settings["tenant_id"],
)
token = await credential.get_token(ARM_SCOPE)
assert token
assert token.token
assert token.expires_on
def get_credential(self, authority=None, **kwargs):
if self.is_live:
if authority != AzureAuthorityHosts.AZURE_PUBLIC_CLOUD:
return ClientSecretCredential(
tenant_id=os.environ["CONTAINERREGISTRY_TENANT_ID"],
client_id=os.environ["CONTAINERREGISTRY_CLIENT_ID"],
client_secret=os.
environ["CONTAINERREGISTRY_CLIENT_SECRET"],
authority=authority)
return DefaultAzureCredential(**kwargs)
return AsyncFakeTokenCredential()
