Handle Docker Desktop 403 response for IMDS endpoint (Azure#38321)

christothes · web-flow · commit b0f487856f28 · 2023-08-22T17:35:05.000-05:00
diff --git a/sdk/identity/Azure.Identity/CHANGELOG.md b/sdk/identity/Azure.Identity/CHANGELOG.md
@@ -8,6 +8,8 @@
 
 ### Bugs Fixed
 
+- `ManagedIdentityCredential` will fall through to the next credential in the chain in the case that Docker Desktop returns a 403 response when attempting to access the IMDS endpoint. [#38218](https://github.com/Azure/azure-sdk-for-net/issues/38218)
+
 ### Other Changes
 
 ## 1.10.0 (2023-08-14)
diff --git a/sdk/identity/Azure.Identity/src/ImdsManagedIdentitySource.cs b/sdk/identity/Azure.Identity/src/ImdsManagedIdentitySource.cs
@@ -40,15 +40,15 @@ internal ImdsManagedIdentitySource(ManagedIdentityClientOptions options) : base(
             _imdsNetworkTimeout = options.InitialImdsConnectionTimeout;
 
             if (!string.IsNullOrEmpty(EnvironmentVariables.PodIdentityEndpoint))
-			{
-				var builder = new UriBuilder(EnvironmentVariables.PodIdentityEndpoint);
-            	builder.Path = imddsTokenPath;
+            {
+                var builder = new UriBuilder(EnvironmentVariables.PodIdentityEndpoint);
+                builder.Path = imddsTokenPath;
                 _imdsEndpoint = builder.Uri;
-			}
-			else
-			{
-            	_imdsEndpoint = s_imdsEndpoint;
-			}
+            }
+            else
+            {
+                _imdsEndpoint = s_imdsEndpoint;
+            }
         }
 
         protected override Request CreateRequest(string[] scopes)
@@ -103,6 +103,10 @@ public async override ValueTask<AccessToken> AuthenticateAsync(bool async, Token
             {
                 throw new CredentialUnavailableException(AggregateError, e);
             }
+            catch (CredentialUnavailableException)
+            {
+                throw;
+            }
         }
 
         protected override async ValueTask<AccessToken> HandleResponseAsync(bool async, TokenRequestContext context, Response response, CancellationToken cancellationToken)
diff --git a/sdk/identity/Azure.Identity/src/ManagedIdentitySource.cs b/sdk/identity/Azure.Identity/src/ManagedIdentitySource.cs
@@ -67,6 +67,17 @@ protected virtual async ValueTask<AccessToken> HandleResponseAsync(
                 exception = e;
             }
 
+            //This is a special case for Docker Desktop which responds with a 403 with a message that contains "A socket operation was attempted to an unreachable network"
+            // rather than just timing out, as expected.
+            if (response.Status == 403)
+            {
+                string message = response.Content.ToString();
+                if (message.Contains("A socket operation was attempted to an unreachable network"))
+                {
+                    throw new CredentialUnavailableException(UnexpectedResponse, new Exception(message));
+                }
+            }
+
             throw new RequestFailedException(response, exception);
         }
 
diff --git a/sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs b/sdk/identity/Azure.Identity/tests/ManagedIdentityCredentialTests.cs
@@ -277,6 +277,24 @@ public void VerifyImdsRequestFailurePopulatesExceptionMessage()
             Assert.That(ex.Message, Does.Contain(expectedMessage));
         }
 
+        [NonParallelizable]
+        [Test]
+        public void VerifyImdsRequestFailureForDockerDesktopThrowsCUE()
+        {
+            using var environment = new TestEnvVar(new() { { "MSI_ENDPOINT", null }, { "MSI_SECRET", null }, { "IDENTITY_ENDPOINT", null }, { "IDENTITY_HEADER", null }, { "AZURE_POD_IDENTITY_AUTHORITY_HOST", null } });
+
+            var expectedMessage = "connecting to 169.254.169.254:80: connecting to 169.254.169.254:80: dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.";
+            var response = CreateInvalidJsonResponse(403, expectedMessage);
+            var mockTransport = new MockTransport(response);
+            var options = new TokenCredentialOptions() { Transport = mockTransport };
+            var pipeline = CredentialPipeline.GetInstance(options);
+
+            ManagedIdentityCredential credential = InstrumentClient(new ManagedIdentityCredential("mock-client-id", pipeline));
+
+            var ex = Assert.ThrowsAsync<CredentialUnavailableException>(async () => await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default)));
+            Assert.That(ex.InnerException.Message, Does.Contain(expectedMessage));
+        }
+
         [NonParallelizable]
         [Test]
         public void VerifyImdsRequestFailureWithInvalidJsonPopulatesExceptionMessage()
@@ -920,10 +938,10 @@ private MockResponse CreateErrorMockResponse(int responseCode, string message)
             return response;
         }
 
-        private static MockResponse CreateInvalidJsonResponse(int status)
+        private static MockResponse CreateInvalidJsonResponse(int status, string message = "invalid json")
         {
             var response = new MockResponse(status);
-            response.SetContent("invalid json");
+            response.SetContent(message);
             return response;
         }
     }
