Skip to content

[Identity] CAE b1 #17070

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jiasli wants to merge 6 commits into from
Closed

[Identity] CAE b1 #17070

jiasli wants to merge 6 commits into from

Conversation

@jiasli
Copy link
Member

@jiasli jiasli commented Feb 24, 2021

Description

CAE beta support build upon

Testing Guide

# Log in with CAE enabled
az login

# Test access token is working as expected
az group list

# Revoke the session
az rest -m POST -u https://graph.microsoft.com/v1.0/me/revokeSignInSessions

az group list --output none
while ($LASTEXITCODE -eq 0)
{
   Write-Output "Access token not revoked yet. Sleeping..."
   Start-Sleep 10
   az group list --output none   
}
Write-Output "Access token has been revoked."

# A failed command using Track 2 SDK
az storage account list

# A failed command using Track 1 SDK
az group list

jiasli
jiasli commented Feb 24, 2021
View reviewed changes
src/azure-cli-testsdk/azure/cli/testsdk/base.py
self.kwargs = {}
self.test_resources_count = 0

patch_main_exception_handler(self)
Copy link
Member Author

@jiasli jiasli Feb 24, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ScenarioTest (inherited from ReplayableTest) patches azure.cli.core.util.handle_exception so that the raw exception is thrown and can be captured by assertRaises. (handle_exception silences any exception.)

Do the same for LiveScenarioTest.

jiasli
jiasli commented Feb 24, 2021
View reviewed changes
src/azure-cli-core/azure/cli/core/cloud.py
endpoints=CloudEndpoints(
management='https://management.core.windows.net/',
resource_manager='https://management.azure.com/',
resource_manager='https://eastus2euap.management.azure.com/',
Copy link
Member Author

@jiasli jiasli Feb 24, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using canary ARM endpoint causes CI failure:

https://dev.azure.com/azure-sdk/public/_build/results?buildId=750605&view=logs&j=75453f46-9c6c-5df4-6021-c5646ce3452d&t=4b9b4997-7a06-5274-d89c-915764f2e7f7&l=213892

____________________ TestCloud.test_metadata_url_endpoints _____________________
self = <azure.cli.core.tests.test_cloud.TestCloud testMethod=test_metadata_url_endpoints>

    @mock.patch.dict('os.environ', {'ARM_CLOUD_METADATA_URL': 'https://management.azure.com/metadata/endpoints?api-version=2019-05-01'})
    def test_metadata_url_endpoints(self):
        clouds = get_known_clouds(refresh=True)
        for cloud in HARD_CODED_CLOUD_LIST:
            metadata_url_cloud = next(c for c in clouds if c.name == cloud.name)
            for k, v1 in cloud.endpoints.__dict__.items():
                v2 = metadata_url_cloud.endpoints.__dict__[k]
                if v1:
>                   self.assertEqual(v1.strip('/'), v2.strip('/'))
E                   AssertionError: 'https://eastus2euap.management.azure.com' != 'https://management.azure.com'
E                   - https://eastus2euap.management.azure.com
E                   ?         ------------
E                   + https://management.azure.com

src/azure-cli-core/azure/cli/core/tests/test_cloud.py:260: AssertionError

This can't be fixed because

  1. There are tests like test_metadata_url_endpoints using https://management.azure.com.
  2. All YAML recordings are based on https://management.azure.com. Calling https://eastus2euap.management.azure.com will cause mismatch during playback.

dingmeng-xue
dingmeng-xue reviewed Feb 24, 2021
View reviewed changes
src/azure-cli-core/azure/cli/core/azclierror.py
Comment on lines +16 to +17
UNAUTHORIZED_MESSAGE = ("The access token has expired or been revoked due to being blocked by Continuous Access "
"Evaluation. To re-authenticate, please run `az login`. "
Copy link
Member

@dingmeng-xue dingmeng-xue Feb 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding is continuous access evaluation just makes revoke happen before AT is expired. The statement can be "blocked by access policy" or "not meet the criteria to access this resource"

@yonzhan
Copy link
Collaborator

yonzhan commented Feb 24, 2021

CAE

@yonzhan yonzhan added this to the S184 milestone Feb 24, 2021
@yonzhan yonzhan self-requested a review February 24, 2021 12:42
@yonzhan yonzhan modified the milestones: S184, S185 Mar 20, 2021
@jiasli
Merge branch 'beta' into cae
c5b255b 
# Conflicts:
#	src/azure-cli-core/azure/cli/core/azclierror.py
#	src/azure-cli-core/setup.py
#	src/azure-cli/requirements.py3.Darwin.txt
#	src/azure-cli/requirements.py3.Linux.txt
#	src/azure-cli/requirements.py3.windows.txt
@jiasli jiasli changed the title {CAE} CAE beta support {Core} CAE b1 support Mar 29, 2021
@jiasli jiasli closed this Mar 29, 2021
@jiasli jiasli deleted the cae branch March 29, 2021 12:47
@jiasli jiasli changed the title {Core} CAE b1 support [Identity] CAE b1 Apr 8, 2021
@jiasli jiasli mentioned this pull request Apr 8, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yonzhan yonzhan Awaiting requested review from yonzhan

1 more reviewer

@dingmeng-xue dingmeng-xue dingmeng-xue left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@jiasli jiasli

Labels

MSAL

Projects

None yet

Milestone

S185

Development

Successfully merging this pull request may close these issues.

3 participants

@jiasli @yonzhan @dingmeng-xue