Handle Docker Desktop 403 response from IMDS endpoint (Azure#21432)

Author: chlowell

sdk/azidentity/CHANGELOG.md

@@ -12,6 +12,9 @@
   tokens by default or observe the environment variable "AZURE_IDENTITY_DISABLE_CP1".
 
 ### Bugs Fixed
+* Credential chains such as `DefaultAzureCredential` now try their next credential, if any, when
+  managed identity authentication fails in a Docker Desktop container
+  ([#21417](https://github.com/Azure/azure-sdk-for-go/issues/21417))
 
 ### Other Changes
 

sdk/azidentity/managed_identity_client.go

@@ -175,15 +175,25 @@ func (c *managedIdentityClient) authenticate(ctx context.Context, id ManagedIDKi
 		return c.createAccessToken(resp)
 	}
 
-	if c.msiType == msiTypeIMDS && resp.StatusCode == 400 {
-		if id != nil {
-			return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "the requested identity isn't assigned to this resource", resp, nil)
-		}
-		msg := "failed to authenticate a system assigned identity"
-		if body, err := runtime.Payload(resp); err == nil && len(body) > 0 {
-			msg += fmt.Sprintf(". The endpoint responded with %s", body)
+	if c.msiType == msiTypeIMDS {
+		switch resp.StatusCode {
+		case http.StatusBadRequest:
+			if id != nil {
+				return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "the requested identity isn't assigned to this resource", resp, nil)
+			}
+			msg := "failed to authenticate a system assigned identity"
+			if body, err := runtime.Payload(resp); err == nil && len(body) > 0 {
+				msg += fmt.Sprintf(". The endpoint responded with %s", body)
+			}
+			return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, msg)
+		case http.StatusForbidden:
+			// Docker Desktop runs a proxy that responds 403 to IMDS token requests. If we get that response,
+			// we return credentialUnavailableError so credential chains continue to their next credential
+			body, err := runtime.Payload(resp)
+			if err == nil && strings.Contains(string(body), "A socket operation was attempted to an unreachable network") {
+				return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, fmt.Sprintf("unexpected response %q", string(body)))
+			}
 		}
-		return azcore.AccessToken{}, newCredentialUnavailableError(credNameManagedIdentity, msg)
 	}
 
 	return azcore.AccessToken{}, newAuthenticationFailedError(credNameManagedIdentity, "authentication failed", resp, nil)

sdk/azidentity/managed_identity_client_test.go

@@ -8,6 +8,8 @@ package azidentity
 
 import (
 	"context"
+	"errors"
+	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
@@ -76,23 +78,44 @@ func TestManagedIdentityClient_ApplicationID(t *testing.T) {
 	}
 }
 
-func TestManagedIdentityClient_IMDS400(t *testing.T) {
-	srv, close := mock.NewServer(mock.WithTransformAllRequestsToTestServerUrl())
-	defer close()
-	body := `{"error":"invalid_request","error_description":"Identity not found"}`
-	srv.SetResponse(mock.WithBody([]byte(body)), mock.WithStatusCode(http.StatusBadRequest))
-	client, err := newManagedIdentityClient(&ManagedIdentityCredentialOptions{
-		ClientOptions: azcore.ClientOptions{Transport: srv},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-	_, err = client.authenticate(context.Background(), nil, testTRO.Scopes)
-	if err == nil {
-		t.Fatal("expected an error")
-	}
-	if actual := err.Error(); !strings.Contains(actual, body) {
-		t.Fatalf("expected response body in error, got %q", actual)
+func TestManagedIdentityClient_IMDSErrors(t *testing.T) {
+	for _, test := range []struct {
+		body, desc string
+		code       int
+	}{
+		{
+			desc: "No identity assigned",
+			code: http.StatusBadRequest,
+			body: `{"error":"invalid_request","error_description":"Identity not found"}`,
+		},
+		{
+			desc: "Docker Desktop",
+			code: http.StatusForbidden,
+			body: "connecting to 169.254.169.254:80: connecting to 169.254.169.254:80: dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.",
+		},
+	} {
+		t.Run(fmt.Sprint(test.code), func(t *testing.T) {
+			srv, close := mock.NewServer(mock.WithTransformAllRequestsToTestServerUrl())
+			defer close()
+			srv.SetResponse(mock.WithBody([]byte(test.body)), mock.WithStatusCode(test.code))
+			client, err := newManagedIdentityClient(&ManagedIdentityCredentialOptions{
+				ClientOptions: azcore.ClientOptions{Transport: srv},
+			})
+			if err != nil {
+				t.Fatal(err)
+			}
+			_, err = client.authenticate(context.Background(), nil, testTRO.Scopes)
+			if err == nil {
+				t.Fatal("expected an error")
+			}
+			if actual := err.Error(); !strings.Contains(actual, test.body) {
+				t.Fatalf("expected response body in error, got %q", actual)
+			}
+			var unavailableErr *credentialUnavailableError
+			if !errors.As(err, &unavailableErr) {
+				t.Fatalf("expected %T, got %T", unavailableErr, err)
+			}
+		})
 	}
 }