Skip to content

Migrate All lab helper methods to Key Vault/Region test migration. #5606

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
RyAuld wants to merge 9 commits into
base: main
Choose a base branch
from
Draft

Migrate All lab helper methods to Key Vault/Region test migration. #5606

RyAuld wants to merge 9 commits into from

Conversation

@RyAuld
Copy link
Contributor

@RyAuld RyAuld commented Dec 2, 2025
edited
Loading

Migrate Test Infrastructure from msidlab.com API to Key Vault + IMDS V2 Improvements

Overview

This PR contains two major improvements:

  1. Complete migration of MSAL test infrastructure from direct msidlab.com API calls to Azure Key Vault-based data retrieval for improved reliability and maintainability
  2. Comprehensive IMDS V2 enhancements including improved source detection logic, retry policies, and probe mechanisms

Key Changes

🔑 Key Vault Migration (Test Infrastructure Modernization)

Migrated Methods:

  • B2C Tests: GetB2CLocalAccountAsync() now uses Key Vault secrets (B2C-User-IDLab-JSON, B2C-App-IDLABSAPPB2C-JSON) instead of direct API calls
  • Arlington Tests: GetArlingtonUserAsync() and GetArlingtonADFSUserAsync() migrated to use Arlington Key Vault (ARL-User-IDLab-JSON, ARL-App-IDLABSAPP-JSON)
  • CIAM Tests: GetCIAMUserAsync() now retrieves data from Key Vault (MSAL-User-CIAM-JSON, MSAL-App-CIAM-JSON) in MSIDLABCIAM6 tenant
  • Regional Tests: Updated to use MSAL-APP-AzureADMultipleOrgs configuration in ID4SLAB1 tenant with eastus2 region

Benefits:

  • ✅ Eliminates direct dependency on msidlab.com API for better reliability
  • ✅ Centralized secret management through Azure Key Vault
  • ✅ Improved test stability and reduced flakiness
  • ✅ Better separation of concerns between test data and test logic

Implementation Pattern:
All migrations follow the established MergeKVLabDataAsync() pattern:

// Before: Direct API call
return GetLabUserDataAsync(UserQuery.B2CLocalAccountUserQuery);

// After: Key Vault-based retrieval
return MergeKVLabDataAsync("B2C-User-IDLab-JSON", "MSIDLABB2C", "B2C-App-IDLABSAPPB2C-JSON");

🔄 IMDS V2 Source Detection & Retry Policy Improvements

Enhanced Managed Identity Source Detection:

  • Improved IMDS Probe Logic: Refactored probe mechanism with better error handling and fallback behavior
  • Enhanced Retry Policies: Improved ImdsProbeRetryPolicy (renamed from CsrMetadataProbeRetryPolicy) with better exponential backoff
  • Robust Source Detection: Better differentiation between IMDSv1, IMDSv2, and unavailable sources
  • Timeout Handling: Added proper cancellation token support for probe operations

Key Improvements:

  • 🔧 Better Error Recovery: Enhanced fallback logic when IMDSv2 is unavailable
  • 🔧 Improved Performance: More efficient source detection with proper timeout handling
  • 🔧 Enhanced Testing: Comprehensive test coverage for probe scenarios and edge cases
  • 🔧 Code Organization: Better separation of concerns between probe logic and token acquisition

🏗️ Regional Configuration Updates

Updated Regional Test Configuration:

  • Client ID: Updated from legacy MSIDLAB4 to 54a2d933-8bf8-483b-a8f8-0a31924f3c1f (MSAL-APP-AzureADMultipleOrgs)
  • Tenant ID: Migrated to ID4SLAB1 tenant (10c419d4-4a50-45b2-aa4e-919fb84df24f)
  • Regional Endpoint: Changed from centralus.login.microsoft.com to eastus2.login.microsoft.com
  • Key Vault Integration: Now uses MsalTeam Key Vault with MSAL-APP-AzureADMultipleOrgs secret

🧹 Code Cleanup & Maintenance

Removed Legacy Code:

  • Cleaned up unused helper methods in LabUserHelper.cs
  • Removed obsolete caching mechanisms for API-based calls
  • Simplified test setup patterns across multiple test suites

Enhanced Test Reliability:

  • Added proper mock handling for IMDS probe scenarios
  • Improved test isolation and reduced inter-test dependencies
  • Better error handling and timeout management in tests

Files Changed

Core Infrastructure

  • tests/Microsoft.Identity.Test.LabInfrastructure/LabUserHelper.cs - Key Vault migration implementation
  • tests/Microsoft.Identity.Test.Integration.netcore/Infrastructure/ConfidentialAppSettings.cs - Regional configuration updates
  • tests/Microsoft.Identity.Test.Common/TestConstants.cs - Regional endpoint updates

IMDS V2 Enhancements

  • src/client/Microsoft.Identity.Client/ManagedIdentity/V2/ImdsV2ManagedIdentitySource.cs - Enhanced probe logic
  • src/client/Microsoft.Identity.Client/Http/Retry/ImdsProbeRetryPolicy.cs - Improved retry policies (renamed)
  • src/client/Microsoft.Identity.Client/ManagedIdentity/ManagedIdentityClient.cs - Better source detection
  • src/client/Microsoft.Identity.Client/ManagedIdentity/V2/ImdsVersion.cs - New enumeration for version handling

Test Updates

  • tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/* - Updated to use new Key Vault patterns
  • tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/* - Enhanced IMDS V2 test coverage
  • tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHelpers.cs - Improved mock support

Testing

  • ✅ All existing tests updated to work with Key Vault-based data retrieval
  • ✅ Comprehensive IMDS V2 probe test coverage added
  • ✅ Regional configuration tests verify new tenant setup
  • ✅ Enhanced mock scenarios for better test isolation
  • ✅ Improved error handling test cases

Migration Impact

No Breaking Changes:

  • All public APIs remain unchanged
  • Test behavior is preserved while improving reliability
  • Existing test scenarios continue to work seamlessly

Improved Reliability:

  • Reduced dependency on external API availability
  • Better error handling and retry mechanisms
  • More stable CI/CD pipeline execution

Related Work

This PR consolidates multiple infrastructure improvements:

  • Initial Key Vault integration patterns
  • ADFS configuration migrations
  • Regional test modernization
  • IMDS V2 feature enhancements
  • Test reliability improvements

The migration establishes a robust foundation for future test infrastructure enhancements while maintaining backward compatibility and improving overall system reliability.

RyAuld added 3 commits December 2, 2025 15:05
@RyAuld
Migrate GetArlingtonADFSUserAsync to Key Vault
03131d9 
- Replace direct msidlab.com API call with Key Vault data retrieval
- Use MergeKVLabDataAsync pattern consistent with other migrated methods
- Maintains same functionality while reducing external API dependencies
@RyAuld
Migrate Arlington methods to Key Vault
a4d6dfd 
- Migrate GetArlingtonUserAsync to use MergeKVLabDataAsync with Key Vault secrets
- Migrate GetArlingtonADFSUserAsync to use MergeKVLabDataAsync with Key Vault secrets
- Replace direct msidlab.com API calls with pre-cached Key Vault data retrieval
- Maintains same functionality while reducing external API dependencies
- Uses consistent pattern with other migrated methods (B2C, default users)
- Arlington ADFS migration verified working in tests
- Arlington standard method has Key Vault data quality issue to be resolved separately
@RyAuld
Migrate CIAM tests to use Key Vault-based GetCIAMUserAsync method
6666d35 
- Added GetCIAMUserAsync() method in LabUserHelper using Key Vault secrets
- Updated all 4 CIAM integration tests to use new method instead of direct API calls
- Verified all tests pass with Key Vault cached data
- Improves reliability by removing dependency on msidlab.com API calls
@RyAuld RyAuld changed the title Migrate GetArlingtonADFSUserAsync to Key Vault Migrate All lab helper methods to Key Vault Dec 3, 2025
RyAuld and others added 5 commits December 4, 2025 10:08
@RyAuld
Clean up unused helper methods in LabUserHelper
bf044c5 
- Remove GetLabUserDataAsync (only used by obsolete GetAdfsUserAsync)
- Remove GetAdfsUserAsync (no external callers, replaced by GetDefaultAdfsUserAsync)
- Remove GetHybridSpaAccontAsync (no external callers, test now uses GetDefaultUserWithMultiTenantAppAsync)
- Remove s_userCache field and System.Collections.Concurrent import (no longer needed)
- Update TODO comments to remove references to deleted methods
- All active functionality preserved, ~45 lines of obsolete code removed
@RyAuld
Merge branch 'main' into MigrateOtherAPIRequests
ac0cf41
@RyAuld
Merge branch 'main' into MigrateOtherAPIRequests
07c7473
@RyAuld
Update region tests to use MSAL-APP-AzureADMultipleOrgs in ID4SLAB1 t…
bb9507e 
…enant

- Migrate PublicLegacyCloudConfidentialAppSettings from legacy MSIDLAB4 to ID4SLAB1 tenant
- Update Client ID to 54a2d933-8bf8-483b-a8f8-0a31924f3c1f (MSAL-APP-AzureADMultipleOrgs)
- Update Tenant ID to 10c419d4-4a50-45b2-aa4e-919fb84df24f (ID4SLAB1)
- Change secret from MSIDLAB4-IDLABS-APP-AzureADMyOrg-CC to MSAL-APP-AzureADMultipleOrgs
- Switch Key Vault instance from MSIDLab to MsalTeam
- Update regional endpoint from centralus to eastus2 for ID4SLAB1 tenant location
- Update Region constant from centralus to eastus2
@RyAuld
Merge branch 'MigrateOtherAPIRequests' of https://github.com/AzureAD/…
401ba64 
…microsoft-authentication-library-for-dotnet into MigrateOtherAPIRequests
@RyAuld RyAuld changed the title Migrate All lab helper methods to Key Vault Migrate All lab helper methods to Key Vault/Region test migration. Dec 12, 2025
@RyAuld
Fix hardcoded centralus references in regional authentication tests
70da243 
- Updated RegionDiscoveryProviderTests to use TestConstants.Region instead of hardcoded 'centralus'
- Fixed ClientCredentialsTests.WithRegion to use dynamic regional host configuration
- Updated ClientCredentialWithRegionTests, MtlsPopTests, and MsalExceptionTests to use TestConstants.Region
- Ensures all regional tests are consistent with ID4SLAB1 tenant's eastus2 configuration
- Resolves test failures caused by region expectation mismatches
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RyAuld