Dev credential bugfixes (Azure#37122)

* Bug fixes for developer credentials

* Release prep

* Tests

* fix version client

* fixup versions

* set dep version back to 1.10.1

* port tests to junit5

* use assertThrows

* unused imports

Author: billwert

eng/code-quality-reports/src/main/resources/checkstyle/checkstyle-suppressions.xml

@@ -590,4 +590,10 @@ the main ServiceBusClientBuilder. -->
   <suppress checks="com.azure.tools.checkstyle.checks.GoodLoggingCheck" files="ConsoleLogger.java"/>
   <suppress checks="com.azure.tools.checkstyle.checks.ThrowFromClientLoggerCheck"
             files="com.azure.sdk.build.tool.*\.java"/>
+
+  <!-- Identity tests use paramaterization which requires a public field -->
+  <suppress checks="VisibilityModifier" files="com.azure.identity.AzureCliCredentialNegativeTest.java"/>
+  <suppress checks="VisibilityModifier" files="com.azure.identity.AzureDeveloperCliCredentialNegativeTest.java"/>
+  <suppress checks="VisibilityModifier" files="com.azure.identity.AzureCliCredentialNegativeTest.java"/>
+
 </suppressions>

sdk/e2e/src/main/java/com/azure/endtoend/identity/CliToolsTest.java

@@ -0,0 +1,80 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.endtoend.identity;
+
+import com.azure.core.credential.AccessToken;
+import com.azure.core.credential.TokenRequestContext;
+import com.azure.core.util.Configuration;
+import com.azure.core.util.CoreUtils;
+import com.azure.core.util.logging.ClientLogger;
+import com.azure.identity.AzureCliCredential;
+import com.azure.identity.AzureCliCredentialBuilder;
+import com.azure.identity.AzureDeveloperCliCredential;
+import com.azure.identity.AzureDeveloperCliCredentialBuilder;
+import com.azure.identity.AzurePowerShellCredential;
+import com.azure.identity.AzurePowerShellCredentialBuilder;
+
+import java.util.Locale;
+
+public class CliToolsTest {
+    private static final String AZURE_CLI_TOOLS_TEST_MODE = "AZURE_CLI_TOOLS_TEST_MODE";
+    private static final Configuration CONFIGURATION = Configuration.getGlobalConfiguration().clone();
+    private static final ClientLogger logger = new ClientLogger(CliToolsTest.class);
+    private static final String errorString = "Test mode is not set. Set environment variable AZURE_CLI_TOOLS_TEST_MODE to azd, azcli, or azps";
+    public void run() {
+
+        if (CoreUtils.isNullOrEmpty(CONFIGURATION.get(AZURE_CLI_TOOLS_TEST_MODE))) {
+            throw logger.logExceptionAsError(new IllegalStateException(errorString));
+        }
+
+
+        String mode = CONFIGURATION.get(AZURE_CLI_TOOLS_TEST_MODE).toLowerCase(Locale.ENGLISH);
+        switch (mode) {
+            case "azd":
+                testAzd();
+                break;
+            case "azcli":
+                testAzCli();
+                break;
+            case "azps":
+                testAzPs();
+                break;
+            default:
+                throw logger.logExceptionAsError(new IllegalStateException(errorString));
+        }
+    }
+
+    private void testAzd() {
+        AzureDeveloperCliCredential credential = new AzureDeveloperCliCredentialBuilder().build();
+        TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes("https://graph.microsoft.com/.default");
+        AccessToken tokenCredential = credential.getToken(tokenRequestContext).block();
+        if (tokenCredential == null) {
+            System.out.println("Failed to get token from AzureDeveloperCliCredential");
+        } else {
+            System.out.println("Successfully got token from AzureDeveloperCliCredential");
+        }
+    }
+
+    private void testAzCli() {
+        AzureCliCredential credential = new AzureCliCredentialBuilder().build();
+        TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes("https://graph.microsoft.com/.default");
+        AccessToken tokenCredential = credential.getToken(tokenRequestContext).block();
+        if (tokenCredential == null) {
+            System.out.println("Failed to get token from AzureCliCredential");
+        } else {
+            System.out.println("Successfully got token from AzureCliCredential");
+        }
+    }
+
+    private void testAzPs() {
+        AzurePowerShellCredential credential = new AzurePowerShellCredentialBuilder().build();
+        TokenRequestContext tokenRequestContext = new TokenRequestContext().addScopes("https://graph.microsoft.com/.default");
+        AccessToken tokenCredential = credential.getToken(tokenRequestContext).block();
+        if (tokenCredential == null) {
+            System.out.println("Failed to get token from AzurePowerShellCredential");
+        } else {
+            System.out.println("Successfully got token from AzurePowerShellCredential");
+        }
+    }
+}

sdk/e2e/src/main/java/com/azure/endtoend/identity/IdentityTest.java

@@ -14,6 +14,7 @@
 public class IdentityTest {
     private static final String AZURE_IDENTITY_TEST_PLATFORM = "AZURE_IDENTITY_TEST_PLATFORM";
     private static final Configuration CONFIGURATION = Configuration.getGlobalConfiguration().clone();
+    private static final String errorString = "Identity Test platform is not set. Set environment variable AZURE_IDENTITY_TEST_PLATFORM to one of:\nwebjobs\nmultitenant\nclitools";
 
     /**
      * Runs the Web jobs identity tests
@@ -22,8 +23,7 @@ public class IdentityTest {
      */
     public static void main(String[] args) throws IllegalStateException {
         if (CoreUtils.isNullOrEmpty(CONFIGURATION.get(AZURE_IDENTITY_TEST_PLATFORM))) {
-            throw new IllegalStateException("Identity Test platform is not set. Set environment "
-                                                               + "variable AZURE_IDENTITY_TEST_PLATFORM to webjobs");
+            throw new IllegalStateException(errorString);
         }
 
         String platform = CONFIGURATION.get(AZURE_IDENTITY_TEST_PLATFORM).toLowerCase(Locale.ENGLISH);
@@ -36,9 +36,12 @@ public static void main(String[] args) throws IllegalStateException {
                 MultiTenantTest multiTenantTest  = new MultiTenantTest();
                 multiTenantTest.run();
                 break;
+            case "clitools":
+                CliToolsTest cliToolsTest = new CliToolsTest();
+                cliToolsTest.run();
+                break;
             default:
-                throw (new IllegalStateException("Invalid Test Platform is configured for AZURE_IDENTITY_TEST_PLATFORM."
-                                                                               + "Possible value is webjobs."));
+                throw new IllegalStateException(errorString);
         }
     }
 }

sdk/identity/azure-identity/CHANGELOG.md

@@ -1,6 +1,6 @@
 # Release History
 
-## 1.11.0-beta.2 (Unreleased)
+## 1.11.0-beta.2 (unreleased)
 
 ### Features Added
 
@@ -10,6 +10,11 @@
 
 ### Other Changes
 
+## 1.10.2 (2023-10-10)
+
+### Bugs Fixed
+- Bug fixes for developer credentials
+
 ## 1.11.0-beta.1 (2023-09-20)
 
 ### Features Added
@@ -19,9 +24,6 @@
 - Fixed flowing `HttpClientOptions` through credentials [#36382](https://github.com/Azure/azure-sdk-for-java/pull/36382)
 - Fixed edge case in Docker where 403s erronously caused CredentialUnavailableExceptions [#36747](https://github.com/Azure/azure-sdk-for-java/pull/36747)
 
-
-
-
 ## 1.10.1 (2023-09-10)
 
 ### Other Changes

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java

@@ -16,6 +16,7 @@
 import com.azure.identity.implementation.util.IdentityUtil;
 import com.azure.identity.implementation.util.LoggingUtil;
 import com.azure.identity.implementation.util.ScopeUtil;
+import com.azure.identity.implementation.util.ValidationUtil;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.microsoft.aad.msal4j.AuthorizationCodeParameters;
 import com.microsoft.aad.msal4j.AppTokenProviderParameters;
@@ -315,7 +316,6 @@ public Mono<MsalToken> authenticateWithIntelliJ(TokenRequestContext request) {
      * @return a Publisher that emits an AccessToken
      */
     public Mono<AccessToken> authenticateWithAzureCli(TokenRequestContext request) {
-
         StringBuilder azCommand = new StringBuilder("az account get-access-token --output json --resource ");
 
         String scopes = ScopeUtil.scopesToResource(request.getScopes());
@@ -330,11 +330,13 @@ public Mono<AccessToken> authenticateWithAzureCli(TokenRequestContext request) {
 
         try {
             String tenant = IdentityUtil.resolveTenantId(tenantId, request, options);
+            ValidationUtil.validateTenantIdCharacterRange(tenant, LOGGER);
+
             // The default is not correct for many cases, such as when the logged in entity is a service principal.
             if (!CoreUtils.isNullOrEmpty(tenant) && !tenant.equals(IdentityUtil.DEFAULT_TENANT)) {
                 azCommand.append(" --tenant ").append(tenant);
             }
-        } catch (ClientAuthenticationException e) {
+        } catch (ClientAuthenticationException | IllegalArgumentException e) {
             return Mono.error(e);
         }
 
@@ -356,7 +358,6 @@ public Mono<AccessToken> authenticateWithAzureCli(TokenRequestContext request) {
      * @return a Publisher that emits an AccessToken
      */
     public Mono<AccessToken> authenticateWithAzureDeveloperCli(TokenRequestContext request) {
-
         StringBuilder azdCommand = new StringBuilder("azd auth token --output json --scope ");
         List<String> scopes = request.getScopes();
 
@@ -366,16 +367,27 @@ public Mono<AccessToken> authenticateWithAzureDeveloperCli(TokenRequestContext r
             return Mono.error(LOGGER.logExceptionAsError(new IllegalArgumentException("Missing scope in request")));
         }
 
+        for (String scope : scopes) {
+            try {
+                ScopeUtil.validateScope(scope);
+            } catch (IllegalArgumentException ex) {
+                return Mono.error(LOGGER.logExceptionAsError(ex));
+            }
+        }
+
+
         // At least one scope is appended to the azd command.
         // If there are more than one scope, we add `--scope` before each.
         azdCommand.append(String.join(" --scope ", scopes));
 
         try {
             String tenant = IdentityUtil.resolveTenantId(tenantId, request, options);
+            ValidationUtil.validateTenantIdCharacterRange(tenant, LOGGER);
+
             if (!CoreUtils.isNullOrEmpty(tenant) && !tenant.equals(IdentityUtil.DEFAULT_TENANT)) {
                 azdCommand.append(" --tenant-id ").append(tenant);
             }
-        } catch (ClientAuthenticationException e) {
+        } catch (ClientAuthenticationException | IllegalArgumentException e) {
             return Mono.error(e);
         }
 
@@ -396,7 +408,7 @@ public Mono<AccessToken> authenticateWithAzureDeveloperCli(TokenRequestContext r
      * @return a Publisher that emits an AccessToken
      */
     public Mono<AccessToken> authenticateWithAzurePowerShell(TokenRequestContext request) {
-
+        ValidationUtil.validateTenantIdCharacterRange(tenantId, LOGGER);
         List<CredentialUnavailableException> exceptions = new ArrayList<>(2);
 
         PowershellManager defaultPowerShellManager = new PowershellManager(Platform.isWindows()
@@ -454,6 +466,12 @@ public Mono<AccessToken> authenticateWithOBO(TokenRequestContext request) {
 
     private Mono<AccessToken> getAccessTokenFromPowerShell(TokenRequestContext request,
                                                            PowershellManager powershellManager) {
+        String scope = ScopeUtil.scopesToResource(request.getScopes());
+        try {
+            ScopeUtil.validateScope(scope);
+        } catch (IllegalArgumentException ex) {
+            throw LOGGER.logExceptionAsError(ex);
+        }
         return Mono.using(() -> powershellManager, manager -> manager.initSession().flatMap(m -> {
             String azAccountsCommand = "Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru";
             return m.runCommand(azAccountsCommand).flatMap(output -> {
@@ -466,8 +484,9 @@ private Mono<AccessToken> getAccessTokenFromPowerShell(TokenRequestContext reque
                 }
 
                 LOGGER.verbose("Az.accounts module was found installed.");
-                String command = "Get-AzAccessToken -ResourceUrl " + ScopeUtil.scopesToResource(request.getScopes())
-                                 + " | ConvertTo-Json";
+                String command = "Get-AzAccessToken -ResourceUrl '"
+                    + scope
+                    + "' | ConvertTo-Json";
                 LOGGER.verbose("Azure Powershell Authentication => Executing the command `{}` in Azure "
                                + "Powershell to retrieve the Access Token.", command);
 

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentitySyncClient.java

@@ -12,6 +12,7 @@
 import com.azure.identity.implementation.util.IdentityUtil;
 import com.azure.identity.implementation.util.LoggingUtil;
 import com.azure.identity.implementation.util.ScopeUtil;
+import com.azure.identity.implementation.util.ValidationUtil;
 import com.microsoft.aad.msal4j.AppTokenProviderParameters;
 import com.microsoft.aad.msal4j.ClaimsRequest;
 import com.microsoft.aad.msal4j.ClientCredentialFactory;
@@ -345,7 +346,6 @@ public MsalToken authenticateWithBrowserInteraction(TokenRequestContext request,
      * @return a Publisher that emits an AccessToken
      */
     public AccessToken authenticateWithAzureCli(TokenRequestContext request) {
-
         StringBuilder azCommand = new StringBuilder("az account get-access-token --output json --resource ");
 
         String scopes = ScopeUtil.scopesToResource(request.getScopes());
@@ -359,9 +359,11 @@ public AccessToken authenticateWithAzureCli(TokenRequestContext request) {
         azCommand.append(scopes);
 
         String tenant = IdentityUtil.resolveTenantId(tenantId, request, options);
+        ValidationUtil.validateTenantIdCharacterRange(tenant, LOGGER);
 
         if (!CoreUtils.isNullOrEmpty(tenant)) {
             azCommand.append(" --tenant ").append(tenant);
+
         }
 
         try {
@@ -392,11 +394,22 @@ public AccessToken authenticateWithAzureDeveloperCli(TokenRequestContext request
             throw LOGGER.logExceptionAsError(new IllegalArgumentException("Missing scope in request"));
         }
 
+        scopes.forEach(scope -> {
+            try {
+                ScopeUtil.validateScope(scope);
+            } catch (IllegalArgumentException ex) {
+                throw LOGGER.logExceptionAsError(ex);
+            }
+        });
+
+
         // At least one scope is appended to the azd command.
         // If there are more than one scope, we add `--scope` before each.
         azdCommand.append(String.join(" --scope ", scopes));
 
         String tenant = IdentityUtil.resolveTenantId(tenantId, request, options);
+        ValidationUtil.validateTenantIdCharacterRange(tenant, LOGGER);
+
         if (!CoreUtils.isNullOrEmpty(tenant)) {
             azdCommand.append(" --tenant-id ").append(tenant);
         }

sdk/identity/azure-identity/src/test/java/com/azure/identity/AzureCliCredentialNegativeTest.java

@@ -0,0 +1,60 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+package com.azure.identity;
+
+import com.azure.core.credential.TokenRequestContext;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
+import reactor.test.StepVerifier;
+
+import java.util.stream.Stream;
+
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+
+public class AzureCliCredentialNegativeTest {
+
+    static Stream<String> invalidCharacters() {
+        return Stream.of("|", "&", ";");
+    }
+    @ParameterizedTest
+    @MethodSource("invalidCharacters")
+    public void testInvalidScopeFromRequest(String invalidCharacter) {
+        TokenRequestContext request = new TokenRequestContext().addScopes("scope" + invalidCharacter);
+
+
+        AzureCliCredential credential = new AzureCliCredentialBuilder().build();
+
+        StepVerifier.create(credential.getToken(request))
+            .expectErrorMatches(e -> e instanceof IllegalArgumentException)
+            .verify();
+    }
+    @ParameterizedTest
+    @MethodSource("invalidCharacters")
+    public void testInvalidTenantFromRequest(String invalidCharacter) {
+        TokenRequestContext request = new TokenRequestContext().addScopes("scope").setTenantId("tenant" + invalidCharacter);
+        AzureCliCredential credential = new AzureCliCredentialBuilder().build();
+
+        StepVerifier.create(credential.getToken(request))
+            .expectErrorMatches(e -> e instanceof IllegalArgumentException)
+            .verify();
+    }
+
+    @ParameterizedTest
+    @MethodSource("invalidCharacters")
+    public void testInvalidScopeFromRequestSync(String invalidCharacter) {
+        TokenRequestContext request = new TokenRequestContext().addScopes("scope" + invalidCharacter);
+
+        AzureCliCredential credential = new AzureCliCredentialBuilder().build();
+        assertThrows(IllegalArgumentException.class, () -> credential.getTokenSync(request));
+    }
+
+    @ParameterizedTest
+    @MethodSource("invalidCharacters")
+    public void testInvalidTenantFromRequestSync(String invalidCharacter) {
+        TokenRequestContext request = new TokenRequestContext().addScopes("scope").setTenantId("tenant" + invalidCharacter);
+        AzureCliCredential credential = new AzureCliCredentialBuilder().build();
+        assertThrows(IllegalArgumentException.class, () -> credential.getTokenSync(request));
+    }
+}