Use TokenCredential in search clients (Azure#22726)

* Use TokenCredential in search clients

* Update public API file

Author: Mohit-Chakraborty

sdk/search/Azure.Search.Documents/api/Azure.Search.Documents.netstandard2.0.cs

@@ -27,6 +27,8 @@ public partial class SearchClient
         protected SearchClient() { }
         public SearchClient(System.Uri endpoint, string indexName, Azure.AzureKeyCredential credential) { }
         public SearchClient(System.Uri endpoint, string indexName, Azure.AzureKeyCredential credential, Azure.Search.Documents.SearchClientOptions options) { }
+        public SearchClient(System.Uri endpoint, string indexName, Azure.Core.TokenCredential tokenCredential) { }
+        public SearchClient(System.Uri endpoint, string indexName, Azure.Core.TokenCredential tokenCredential, Azure.Search.Documents.SearchClientOptions options) { }
         public virtual System.Uri Endpoint { get { throw null; } }
         public virtual string IndexName { get { throw null; } }
         public virtual string ServiceName { get { throw null; } }
@@ -187,6 +189,8 @@ public partial class SearchIndexClient
         protected SearchIndexClient() { }
         public SearchIndexClient(System.Uri endpoint, Azure.AzureKeyCredential credential) { }
         public SearchIndexClient(System.Uri endpoint, Azure.AzureKeyCredential credential, Azure.Search.Documents.SearchClientOptions options) { }
+        public SearchIndexClient(System.Uri endpoint, Azure.Core.TokenCredential tokenCredential) { }
+        public SearchIndexClient(System.Uri endpoint, Azure.Core.TokenCredential tokenCredential, Azure.Search.Documents.SearchClientOptions options) { }
         public virtual System.Uri Endpoint { get { throw null; } }
         public virtual string ServiceName { get { throw null; } }
         public virtual Azure.Response<System.Collections.Generic.IReadOnlyList<Azure.Search.Documents.Indexes.Models.AnalyzedTokenInfo>> AnalyzeText(string indexName, Azure.Search.Documents.Indexes.Models.AnalyzeTextOptions options, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }
@@ -230,6 +234,8 @@ public partial class SearchIndexerClient
         protected SearchIndexerClient() { }
         public SearchIndexerClient(System.Uri endpoint, Azure.AzureKeyCredential credential) { }
         public SearchIndexerClient(System.Uri endpoint, Azure.AzureKeyCredential credential, Azure.Search.Documents.SearchClientOptions options) { }
+        public SearchIndexerClient(System.Uri endpoint, Azure.Core.TokenCredential tokenCredential) { }
+        public SearchIndexerClient(System.Uri endpoint, Azure.Core.TokenCredential tokenCredential, Azure.Search.Documents.SearchClientOptions options) { }
         public virtual System.Uri Endpoint { get { throw null; } }
         public virtual string ServiceName { get { throw null; } }
         public virtual Azure.Response<Azure.Search.Documents.Indexes.Models.SearchIndexerDataSourceConnection> CreateDataSourceConnection(Azure.Search.Documents.Indexes.Models.SearchIndexerDataSourceConnection dataSourceConnection, System.Threading.CancellationToken cancellationToken = default(System.Threading.CancellationToken)) { throw null; }

sdk/search/Azure.Search.Documents/src/Indexes/SearchIndexClient.cs

@@ -50,6 +50,21 @@ public SearchIndexClient(Uri endpoint, AzureKeyCredential credential) :
         {
         }
 
+        /// <summary>
+        /// Initializes a new instance of the <see cref="SearchIndexClient"/> class.
+        /// </summary>
+        /// <param name="endpoint">Required. The URI endpoint of the Search service. This is likely to be similar to "https://{search_service}.search.windows.net". The URI must use HTTPS.</param>
+        /// <param name="tokenCredential">
+        /// Required. The token credential used to authenticate requests against the Search service.
+        /// See <see href="https://docs.microsoft.com/azure/search/search-security-rbac">Use role-based authorization in Azure Cognitive Search</see> for more information about role-based authorization in Azure Cognitive Search.
+        /// </param>
+        /// <exception cref="ArgumentNullException">Thrown when the <paramref name="endpoint"/> or <paramref name="tokenCredential"/> is null.</exception>
+        /// <exception cref="ArgumentException">Thrown when the <paramref name="endpoint"/> is not using HTTPS.</exception>
+        public SearchIndexClient(Uri endpoint, TokenCredential tokenCredential) :
+            this(endpoint, tokenCredential, null)
+        {
+        }
+
         /// <summary>
         /// Initializes a new instance of the <see cref="SearchIndexClient"/> class.
         /// </summary>
@@ -79,6 +94,35 @@ public SearchIndexClient(
             _version = options.Version;
         }
 
+        /// <summary>
+        /// Initializes a new instance of the <see cref="SearchIndexClient"/> class.
+        /// </summary>
+        /// <param name="endpoint">Required. The URI endpoint of the Search service. This is likely to be similar to "https://{search_service}.search.windows.net". The URI must use HTTPS.</param>
+        /// <param name="tokenCredential">
+        /// Required. The token credential used to authenticate requests against the Search service.
+        /// See <see href="https://docs.microsoft.com/azure/search/search-security-rbac">Use role-based authorization in Azure Cognitive Search</see> for more information about role-based authorization in Azure Cognitive Search.
+        /// </param>
+        /// <param name="options">Client configuration options for connecting to Azure Cognitive Search.</param>
+        /// <exception cref="ArgumentNullException">Thrown when the <paramref name="endpoint"/> or <paramref name="tokenCredential"/> is null.</exception>
+        /// <exception cref="ArgumentException">Thrown when the <paramref name="endpoint"/> is not using HTTPS.</exception>
+        [System.Diagnostics.CodeAnalysis.SuppressMessage("Usage", "AZC0006:DO provide constructor overloads that allow specifying additional options.", Justification = "Avoid ambiguous method definition")]
+        public SearchIndexClient(
+            Uri endpoint,
+            TokenCredential tokenCredential,
+            SearchClientOptions options)
+        {
+            Argument.AssertNotNull(endpoint, nameof(endpoint));
+            endpoint.AssertHttpsScheme(nameof(endpoint));
+            Argument.AssertNotNull(tokenCredential, nameof(tokenCredential));
+
+            options ??= new SearchClientOptions();
+            Endpoint = endpoint;
+            _serializer = options.Serializer;
+            _clientDiagnostics = new ClientDiagnostics(options);
+            _pipeline = options.Build(tokenCredential);
+            _version = options.Version;
+        }
+
         /// <summary>
         /// Initializes a new instance of the <see cref="SearchIndexClient"/> class.
         /// </summary>

sdk/search/Azure.Search.Documents/src/Indexes/SearchIndexerClient.cs

@@ -49,6 +49,21 @@ public SearchIndexerClient(Uri endpoint, AzureKeyCredential credential) :
         {
         }
 
+        /// <summary>
+        /// Initializes a new instance of the <see cref="SearchIndexerClient"/> class.
+        /// </summary>
+        /// <param name="endpoint">Required. The URI endpoint of the Search service. This is likely to be similar to "https://{search_service}.search.windows.net". The URI must use HTTPS.</param>
+        /// <param name="tokenCredential">
+        /// Required.The token credential used to authenticate requests against the Search service.
+        /// See <see href="https://docs.microsoft.com/azure/search/search-security-rbac">Use role-based authorization in Azure Cognitive Search</see> for more information about role-based authorization in Azure Cognitive Search.
+        /// </param>
+        /// <exception cref="ArgumentNullException">Thrown when the <paramref name="endpoint"/> or <paramref name="tokenCredential"/> is null.</exception>
+        /// <exception cref="ArgumentException">Thrown when the <paramref name="endpoint"/> is not using HTTPS.</exception>
+        public SearchIndexerClient(Uri endpoint, TokenCredential tokenCredential) :
+            this(endpoint, tokenCredential, null)
+        {
+        }
+
         /// <summary>
         /// Initializes a new instance of the <see cref="SearchIndexerClient"/> class.
         /// </summary>
@@ -77,6 +92,34 @@ public SearchIndexerClient(
             _version = options.Version;
         }
 
+        /// <summary>
+        /// Initializes a new instance of the <see cref="SearchIndexerClient"/> class.
+        /// </summary>
+        /// <param name="endpoint">Required. The URI endpoint of the Search service. This is likely to be similar to "https://{search_service}.search.windows.net". The URI must use HTTPS.</param>
+        /// <param name="tokenCredential">
+        /// Required. The token credential used to authenticate requests against the Search service.
+        /// See <see href="https://docs.microsoft.com/azure/search/search-security-rbac">Use role-based authorization in Azure Cognitive Search</see> for more information about role-based authorization in Azure Cognitive Search.
+        /// </param>
+        /// <param name="options">Client configuration options for connecting to Azure Cognitive Search.</param>
+        /// <exception cref="ArgumentNullException">Thrown when the <paramref name="endpoint"/> or <paramref name="tokenCredential"/> is null.</exception>
+        /// <exception cref="ArgumentException">Thrown when the <paramref name="endpoint"/> is not using HTTPS.</exception>
+        [System.Diagnostics.CodeAnalysis.SuppressMessage("Usage", "AZC0006:DO provide constructor overloads that allow specifying additional options.", Justification = "Avoid ambiguous method definition")]
+        public SearchIndexerClient(
+            Uri endpoint,
+            TokenCredential tokenCredential,
+            SearchClientOptions options)
+        {
+            Argument.AssertNotNull(endpoint, nameof(endpoint));
+            endpoint.AssertHttpsScheme(nameof(endpoint));
+            Argument.AssertNotNull(tokenCredential, nameof(tokenCredential));
+
+            options ??= new SearchClientOptions();
+            Endpoint = endpoint;
+            _clientDiagnostics = new ClientDiagnostics(options);
+            _pipeline = options.Build(tokenCredential);
+            _version = options.Version;
+        }
+
         /// <summary>
         /// Gets the URI endpoint of the Search service.  This is likely
         /// to be similar to "https://{search_service}.search.windows.net".

sdk/search/Azure.Search.Documents/src/SearchClient.cs

@@ -120,6 +120,40 @@ public SearchClient(
         {
         }
 
+        /// <summary>
+        /// Initializes a new instance of the SearchClient class for
+        /// querying an index and uploading, merging, or deleting documents.
+        /// </summary>
+        /// <param name="endpoint">
+        /// Required.  The URI endpoint of the Search Service.  This is likely
+        /// to be similar to "https://{search_service}.search.windows.net".
+        /// The URI must use HTTPS.
+        /// </param>
+        /// <param name="indexName">
+        /// Required.  The name of the Search Index.
+        /// </param>
+        /// <param name="tokenCredential">
+        /// Required.  The token credential used to authenticate requests against the Search service.
+        /// See <see href="https://docs.microsoft.com/azure/search/search-security-rbac">Use role-based authorization in Azure Cognitive Search</see> for
+        /// more information about role-based authorization in Azure Cognitive Search.
+        /// </param>
+        /// <exception cref="ArgumentNullException">
+        /// Thrown when the <paramref name="endpoint"/>,
+        /// <paramref name="indexName"/>, or <paramref name="tokenCredential"/> is
+        /// null.
+        /// </exception>
+        /// <exception cref="ArgumentException">
+        /// Thrown when the <paramref name="endpoint"/> is not using HTTPS or
+        /// the <paramref name="indexName"/> is empty.
+        /// </exception>
+        public SearchClient(
+            Uri endpoint,
+            string indexName,
+            TokenCredential tokenCredential) :
+            this(endpoint, indexName, tokenCredential, null)
+        {
+        }
+
         /// <summary>
         /// Initializes a new instance of the SearchClient class for
         /// querying an index and uploading, merging, or deleting documents.
@@ -180,6 +214,65 @@ public SearchClient(
                 Version.ToVersionString());
         }
 
+        /// <summary>
+        /// Initializes a new instance of the SearchClient class for
+        /// querying an index and uploading, merging, or deleting documents.
+        /// </summary>
+        /// <param name="endpoint">
+        /// Required.  The URI endpoint of the Search Service.  This is likely
+        /// to be similar to "https://{search_service}.search.windows.net".
+        /// The URI must use HTTPS.
+        /// </param>
+        /// <param name="indexName">
+        /// Required.  The name of the Search Index.
+        /// </param>
+        /// <param name="tokenCredential">
+        /// Required.  The token credential used to authenticate requests against the Search service.
+        /// See <see href="https://docs.microsoft.com/azure/search/search-security-rbac">Use role-based authorization in Azure Cognitive Search</see> for
+        /// more information about role-based authorization in Azure Cognitive Search.
+        /// </param>
+        /// <param name="options">
+        /// Client configuration options for connecting to Azure Cognitive
+        /// Search.
+        /// </param>
+        /// <exception cref="ArgumentNullException">
+        /// Thrown when the <paramref name="endpoint"/>,
+        /// <paramref name="indexName"/>, or <paramref name="tokenCredential"/> is
+        /// null.
+        /// </exception>
+        /// <exception cref="ArgumentException">
+        /// Thrown when the <paramref name="endpoint"/> is not using HTTPS or
+        /// the <paramref name="indexName"/> is empty.
+        /// </exception>
+        [System.Diagnostics.CodeAnalysis.SuppressMessage("Usage", "AZC0006:DO provide constructor overloads that allow specifying additional options.", Justification = "Avoid ambiguous method definition")]
+        public SearchClient(
+            Uri endpoint,
+            string indexName,
+            TokenCredential tokenCredential,
+            SearchClientOptions options)
+        {
+            Argument.AssertNotNull(endpoint, nameof(endpoint));
+            endpoint.AssertHttpsScheme(nameof(endpoint));
+            Argument.AssertNotNullOrEmpty(indexName, nameof(indexName));
+            Argument.AssertNotNull(tokenCredential, nameof(tokenCredential));
+
+            options ??= new SearchClientOptions();
+            Endpoint = endpoint;
+            IndexName = indexName;
+            Serializer = options.Serializer;
+            ClientDiagnostics = new ClientDiagnostics(options);
+            Pipeline = options.Build(tokenCredential);
+            Version = options.Version;
+
+            Protocol = new DocumentsRestClient(
+                ClientDiagnostics,
+                Pipeline,
+                endpoint.AbsoluteUri,
+                indexName,
+                null,
+                Version.ToVersionString());
+        }
+
         /// <summary>
         /// Initializes a new instance of the SearchClient class from a
         /// <see cref="SearchIndexClient"/>.

sdk/search/Azure.Search.Documents/src/SearchClientOptions.cs

@@ -110,6 +110,23 @@ internal HttpPipeline Build(AzureKeyCredential credential)
                 responseClassifier: null);
         }
 
+        /// <summary>
+        /// Create an <see cref="HttpPipeline"/> to send requests to the Search service.
+        /// </summary>
+        /// <param name="credential">
+        /// The <see cref="TokenCredential"/> to authenticate requests.
+        /// </param>
+        /// <returns>An <see cref="HttpPipeline"/> to send requests.</returns>
+        internal HttpPipeline Build(TokenCredential credential)
+        {
+            Debug.Assert(credential != null);
+            return HttpPipelineBuilder.Build(
+                options: this,
+                perCallPolicies: new[] { new BearerTokenAuthenticationPolicy(credential, Constants.CredentialScopeName) },
+                perRetryPolicies: Array.Empty<HttpPipelinePolicy>(),
+                responseClassifier: null);
+        }
+
         /// <summary>
         /// Add the allow list headers to the <see cref="DiagnosticsOptions"/>
         /// that are considered safe for logging/exceptions by default.

sdk/search/Azure.Search.Documents/src/Utilities/Constants.cs

@@ -21,6 +21,11 @@ internal static class Constants
         /// </summary>
         public const string ApiKeyHeaderName = "api-key";
 
+        /// <summary>
+        /// The name of the scope to authenticate for when creating a <see cref="Azure.Core.Pipeline.BearerTokenAuthenticationPolicy"/>
+        /// </summary>
+        public const string CredentialScopeName = "https://search.azure.com/.default";
+
         /// <summary>
         /// Gets the representation of a NaN value.
         /// </summary>

sdk/search/Azure.Search.Documents/tests/SearchClientTests.cs

@@ -29,8 +29,10 @@ public void Constructor()
             Assert.Throws<ArgumentNullException>(() => new SearchClient(null, indexName, new AzureKeyCredential("fake")));
             Assert.Throws<ArgumentNullException>(() => new SearchClient(endpoint, null, new AzureKeyCredential("fake")));
             Assert.Throws<ArgumentException>(() => new SearchClient(endpoint, string.Empty, new AzureKeyCredential("fake")));
-            Assert.Throws<ArgumentNullException>(() => new SearchClient(endpoint, indexName, null));
-            Assert.Throws<ArgumentException>(() => new SearchClient(new Uri("http://bing.com"), indexName, null));
+            Assert.Throws<ArgumentNullException>(() => new SearchClient(endpoint, indexName, credential: null));
+            Assert.Throws<ArgumentException>(() => new SearchClient(new Uri("http://bing.com"), indexName, credential: null));
+
+            Assert.Throws<ArgumentNullException>(() => new SearchClient(endpoint, indexName, tokenCredential: null));
         }
 
         [Test]

sdk/search/Azure.Search.Documents/tests/SearchIndexClientTests.cs

@@ -33,8 +33,9 @@ public void Constructor()
             Assert.AreEqual(serviceName, service.ServiceName);
 
             Assert.Throws<ArgumentNullException>(() => new SearchIndexClient(null, new AzureKeyCredential("fake")));
-            Assert.Throws<ArgumentNullException>(() => new SearchIndexClient(endpoint, null));
-            Assert.Throws<ArgumentException>(() => new SearchIndexClient(new Uri("http://bing.com"), null));
+            Assert.Throws<ArgumentNullException>(() => new SearchIndexClient(endpoint, credential: null));
+            Assert.Throws<ArgumentNullException>(() => new SearchIndexClient(endpoint, tokenCredential: null));
+            Assert.Throws<ArgumentException>(() => new SearchIndexClient(new Uri("http://bing.com"), credential: null));
         }
 
         [Test]

sdk/search/Azure.Search.Documents/tests/SearchIndexerClientTests.cs

@@ -32,8 +32,9 @@ public void Constructor()
             Assert.AreEqual(serviceName, service.ServiceName);
 
             Assert.Throws<ArgumentNullException>(() => new SearchIndexerClient(null, new AzureKeyCredential("fake")));
-            Assert.Throws<ArgumentNullException>(() => new SearchIndexerClient(endpoint, null));
-            Assert.Throws<ArgumentException>(() => new SearchIndexerClient(new Uri("http://bing.com"), null));
+            Assert.Throws<ArgumentNullException>(() => new SearchIndexerClient(endpoint, credential: null));
+            Assert.Throws<ArgumentNullException>(() => new SearchIndexerClient(endpoint, tokenCredential: null));
+            Assert.Throws<ArgumentException>(() => new SearchIndexerClient(new Uri("http://bing.com"), credential: null));
         }
 
         [Test]