Credential creation validation (Azure#27918)

billwert · web-flow · commit 3f3050c3504f · 2022-03-29T16:11:07.000-07:00
* in progress

* make `managedIdentityServiceCredential` package private for testing

* In the case `IDENTITY_ENDPOINT` and `IDENTITY_HEADER` are set we should use `AppServiceMsiCredential`

* Unit tests validating correct credentials are created based on environment variables.

* add hamcrest for testing

* use hamcrest for type checking

* update CHANGELOG.md

* add x-version-update

* add hamcrest to external_dependencies.txt

* remove uninteresting CHANGELOG.md entry
diff --git a/eng/versioning/external_dependencies.txt b/eng/versioning/external_dependencies.txt
@@ -203,6 +203,7 @@ org.eclipse.jetty:jetty-http;9.4.44.v20210927
 org.eclipse.jetty:jetty-server;9.4.44.v20210927
 org.eclipse.jgit:org.eclipse.jgit;4.5.7.201904151645-r
 org.glassfish:javax.json;1.1.4
+org.hamcrest:hamcrest;2.2
 org.hamcrest:hamcrest-all;1.3
 org.hamcrest:hamcrest-library;2.2
 org.junit.jupiter:junit-jupiter;5.8.2
diff --git a/sdk/identity/azure-identity/CHANGELOG.md b/sdk/identity/azure-identity/CHANGELOG.md
@@ -8,6 +8,7 @@
 Removed `disableAuthoriyValidaionSafetyCheck` for GA, will reintroduce in next beta.
 
 ### Bugs Fixed
+Correctly use an `AppServiceMsiCredential` in the case both `IDENTITY_ENDPOINT` and `IDENTITY_HEADER` are set.
 
 ### Other Changes
 
diff --git a/sdk/identity/azure-identity/pom.xml b/sdk/identity/azure-identity/pom.xml
@@ -92,6 +92,12 @@
       <artifactId>json-smart</artifactId>
       <version>2.4.7</version> <!-- {x-version-update;net.minidev:json-smart;external_dependency} -->
     </dependency>
+    <dependency>
+      <groupId>org.hamcrest</groupId>
+      <artifactId>hamcrest</artifactId>
+      <version>2.2</version> <!-- {x-version-update;org.hamcrest:hamcrest;external_dependency} -->
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <build>
diff --git a/sdk/identity/azure-identity/src/main/java/com/azure/identity/ManagedIdentityCredential.java b/sdk/identity/azure-identity/src/main/java/com/azure/identity/ManagedIdentityCredential.java
@@ -23,7 +23,7 @@
 public final class ManagedIdentityCredential implements TokenCredential {
     private static final ClientLogger LOGGER = new ClientLogger(ManagedIdentityCredential.class);
 
-    private final ManagedIdentityServiceCredential managedIdentityServiceCredential;
+    final ManagedIdentityServiceCredential managedIdentityServiceCredential;
     private final IdentityClientOptions identityClientOptions;
 
     static final String PROPERTY_IMDS_ENDPOINT = "IMDS_ENDPOINT";
@@ -48,14 +48,27 @@ public final class ManagedIdentityCredential implements TokenCredential {
         Configuration configuration = identityClientOptions.getConfiguration() == null
             ? Configuration.getGlobalConfiguration().clone() : identityClientOptions.getConfiguration();
 
+
+        /*
+         * Choose credential based on available environment variables in this order:
+         *
+         * Azure Arc: IDENTITY_ENDPOINT, IMDS_ENDPOINT
+         * Service Fabric: IDENTITY_ENDPOINT, IDENTITY_HEADER, IDENTITY_SERVER_THUMBPRINT
+         * App Service 2019-08-01: IDENTITY_ENDPOINT, IDENTITY_HEADER (MSI_ENDPOINT and MSI_SECRET will also be set.)
+         * App Service 2017-09-01: MSI_ENDPOINT, MSI_SECRET
+         * Cloud Shell: MSI_ENDPOINT
+         * Pod Identity V2 (AksExchangeToken): AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_FEDERATED_TOKEN_FILE
+         * IMDS/Pod Identity V1: No variables set.
+         */
+
         if (configuration.contains(Configuration.PROPERTY_MSI_ENDPOINT)) {
             managedIdentityServiceCredential = new AppServiceMsiCredential(clientId, clientBuilder.build());
         } else if (configuration.contains(Configuration.PROPERTY_IDENTITY_ENDPOINT)) {
             if (configuration.contains(Configuration.PROPERTY_IDENTITY_HEADER)) {
                 if (configuration.get(PROPERTY_IDENTITY_SERVER_THUMBPRINT) != null) {
                     managedIdentityServiceCredential = new ServiceFabricMsiCredential(clientId, clientBuilder.build());
                 } else {
-                    managedIdentityServiceCredential = new VirtualMachineMsiCredential(clientId, clientBuilder.build());
+                    managedIdentityServiceCredential = new AppServiceMsiCredential(clientId, clientBuilder.build());
                 }
             } else if (configuration.get(PROPERTY_IMDS_ENDPOINT) != null) {
                 managedIdentityServiceCredential = new ArcIdentityCredential(clientId, clientBuilder.build());
diff --git a/sdk/identity/azure-identity/src/test/java/com/azure/identity/ManagedIdentityCredentialTest.java b/sdk/identity/azure-identity/src/test/java/com/azure/identity/ManagedIdentityCredentialTest.java
@@ -21,6 +21,8 @@
 import java.time.ZoneOffset;
 import java.util.UUID;
 
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.core.IsInstanceOf.instanceOf;
 import static org.mockito.Mockito.when;
 
 @RunWith(PowerMockRunner.class)
@@ -121,5 +123,86 @@ public void testInvalidIdCombination()  {
         new ManagedIdentityCredentialBuilder().clientId(CLIENT_ID).resourceId(resourceId).build();
     }
 
+    @Test
+    public void testArcIdentityCredentialCreated() {
+        Configuration configuration = Configuration.getGlobalConfiguration().clone();
+
+        configuration.put("IDENTITY_ENDPOINT", "http://localhost");
+        configuration.put("IMDS_ENDPOINT", "http://localhost");
+
+        ManagedIdentityCredential cred = new ManagedIdentityCredentialBuilder().configuration(configuration).build();
+        assertThat("Received class " + cred.managedIdentityServiceCredential.getClass().toString(),
+            cred.managedIdentityServiceCredential, instanceOf(ArcIdentityCredential.class));
+    }
+
+    @Test
+    public void testServiceFabricMsiCredentialCreated() {
+        Configuration configuration = Configuration.getGlobalConfiguration().clone();
+
+        configuration.put("IDENTITY_ENDPOINT", "http://localhost");
+        configuration.put("IDENTITY_SERVER_THUMBPRINT", "thumbprint");
+        configuration.put("IDENTITY_HEADER", "header");
+
+        ManagedIdentityCredential cred = new ManagedIdentityCredentialBuilder().configuration(configuration).build();
+        assertThat("Received class " + cred.managedIdentityServiceCredential.getClass().toString(),
+            cred.managedIdentityServiceCredential, instanceOf(ServiceFabricMsiCredential.class));
+    }
+
+    @Test
+    public void testAppServiceMsi2019CredentialCreated() {
+        Configuration configuration = Configuration.getGlobalConfiguration().clone();
+
+        configuration.put("IDENTITY_ENDPOINT", "http://localhost");
+        configuration.put("IDENTITY_HEADER", "header");
+
+        ManagedIdentityCredential cred = new ManagedIdentityCredentialBuilder().configuration(configuration).build();
+        assertThat("Received class " + cred.managedIdentityServiceCredential.getClass().toString(),
+            cred.managedIdentityServiceCredential, instanceOf(AppServiceMsiCredential.class));
+    }
+
+    @Test
+    public void testAppServiceMsi2017CredentialCreated() {
+        Configuration configuration = Configuration.getGlobalConfiguration().clone();
+
+        configuration.put("MSI_ENDPOINT", "http://localhost");
+        configuration.put("MSI_SECRET", "secret");
+
+        ManagedIdentityCredential cred = new ManagedIdentityCredentialBuilder().configuration(configuration).build();
+        assertThat("Received class " + cred.managedIdentityServiceCredential.getClass().toString(),
+            cred.managedIdentityServiceCredential, instanceOf(AppServiceMsiCredential.class));
+    }
+
+    @Test
+    public void testCloudShellCredentialCreated() {
+        Configuration configuration = Configuration.getGlobalConfiguration().clone();
+
+        configuration.put("MSI_ENDPOINT", "http://localhost");
+
+        ManagedIdentityCredential cred = new ManagedIdentityCredentialBuilder().configuration(configuration).build();
+        assertThat("Received class " + cred.managedIdentityServiceCredential.getClass().toString(),
+            cred.managedIdentityServiceCredential, instanceOf(AppServiceMsiCredential.class));
+    }
+
+    @Test
+    public void testAksExchangeTokenCredentialCreated() {
+        Configuration configuration = Configuration.getGlobalConfiguration().clone();
+
+        configuration.put("AZURE_TENANT_ID", "tenantId");
+        configuration.put("AZURE_CLIENT_ID", "clientId");
+        configuration.put("AZURE_FEDERATED_TOKEN_FILE", "tokenFile");
+
+        ManagedIdentityCredential cred = new ManagedIdentityCredentialBuilder().configuration(configuration).build();
+        assertThat("Received class " + cred.managedIdentityServiceCredential.getClass().toString(),
+            cred.managedIdentityServiceCredential, instanceOf(AksExchangeTokenCredential.class));
+    }
+
+    @Test
+    public void testIMDSPodIdentityV1Credential() {
+        Configuration configuration = Configuration.getGlobalConfiguration().clone();
+
+        ManagedIdentityCredential cred = new ManagedIdentityCredentialBuilder().configuration(configuration).build();
+        assertThat("Received class " + cred.managedIdentityServiceCredential.getClass().toString(),
+            cred.managedIdentityServiceCredential,  instanceOf(VirtualMachineMsiCredential.class));
+    }
 }
 
