Identity fix powershell bugs (#41266)

billwert · billwert · commit 6c8997cc1df4 · 2024-08-02T11:05:49.000-07:00
diff --git a/sdk/identity/azure-identity/CHANGELOG.md b/sdk/identity/azure-identity/CHANGELOG.md
@@ -2,6 +2,9 @@
 
 ## 1.13.2 (2024-08-02)
 
+### Bugs Fixed
+- Fixed bugs in `AzurePowerShellCredential` - Fixed break on Windows related to ordering of parameters, and fixed [#41234](https://github.com/Azure/azure-sdk-for-java/issues/41234) (previously shipped in beta)
+
 ### Other Changes
 
 #### Dependency Updates
@@ -10,11 +13,15 @@
 - Upgraded `azure-core-http-netty` from `1.15.2` to version `1.15.3`.
 - Upgraded `azure-json` from `1.1.0` to version `1.2.0`.
 
+## 1.14.0-beta.1 (2024-07-24)
+
+### Bugs Fixed
+- Fixed bugs in `AzurePowerShellCredential` - Fixed break on Windows related to ordering of parameters, and fixed [#41234](https://github.com/Azure/azure-sdk-for-java/issues/41234)
+
 ## 1.13.1 (2024-07-16)
 
 ### Features Added
-- Added support in `EnvironmentCredential` (and thus `DefaultAzureCredential` when it chooses `EnvironmentCredential`) for using subject name / issuer authentication with client certificates by setting `AZURE_CLIENT_SEND_CERTIFICATE_CHAIN` to `1` or `true`. [#40013](https://github.com/Azure/azure-sdk-for-java/issues/40013) 
-
+- Added support in `EnvironmentCredential` (and thus `DefaultAzureCredential` when it chooses `EnvironmentCredential`) for using subject name / issuer authentication with client certificates by setting `AZURE_CLIENT_SEND_CERTIFICATE_CHAIN` to `1` or `true`. [#40013](https://github.com/Azure/azure-sdk-for-java/issues/40013)
 ### Bugs Fixed
 - Fixed certificate type detection, which fixes using a PFX certificate without a password. [#37210](https://github.com/Azure/azure-sdk-for-java/issues/37210)
 - Fix `PowershellCredential` issue when user had a profile [#41030](https://github.com/Azure/azure-sdk-for-java/pull/41030)
diff --git a/sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java b/sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java
@@ -44,6 +44,7 @@
 import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.MalformedURLException;
+
 import java.net.Proxy;
 import java.net.Proxy.Type;
 import java.net.URI;
@@ -485,45 +486,63 @@ private Mono<AccessToken> getAccessTokenFromPowerShell(TokenRequestContext reque
             throw LOGGER.logExceptionAsError(ex);
         }
         return Mono.defer(() -> {
-            String azAccountsCommand = "Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru";
-            return powershellManager.runCommand(azAccountsCommand).flatMap(output -> {
-                if (output.contains("The specified module 'Az.Accounts' with version '2.2.0' was not loaded "
-                                    + "because no valid module file")) {
+            String sep = System.lineSeparator();
+
+            String command = "$ErrorActionPreference = 'Stop'" + sep
+                + "[version]$minimumVersion = '2.2.0'" + sep
+                + "" + sep
+                + "$m = Import-Module Az.Accounts -MinimumVersion $minimumVersion -PassThru -ErrorAction SilentlyContinue" + sep
+                + "" + sep
+                + "if (! $m) {" + sep
+                + "    Write-Output 'VersionTooOld'" + sep
+                + "    exit" + sep
+                + "}" + sep
+                + "" + sep
+                + "$useSecureString = $m.Version -ge [version]'2.17.0'" + sep
+                + "" + sep
+                + "$params = @{" + sep
+                + "    'WarningAction'='Ignore'" + sep
+                + "    'ResourceUrl'='" + scope + "'" + sep
+                + "}" + sep
+                + "" + sep
+                + "if ($useSecureString) {" + sep
+                + "    $params['AsSecureString'] = $true" + sep
+                + "}" + sep
+                + "" + sep
+                + "$token = Get-AzAccessToken @params" + sep
+                + "$customToken = New-Object -TypeName psobject" + sep
+                + "" + sep
+                + "$customToken | Add-Member -MemberType NoteProperty -Name Token -Value ($useSecureString -eq $true ? (ConvertFrom-SecureString -AsPlainText $token.Token) : $token.Token)" + sep
+                + "$customToken | Add-Member -MemberType NoteProperty -Name ExpiresOn -Value $token.ExpiresOn" + sep
+                + "" + sep
+                + "return $customToken | ConvertTo-Json";
+            return powershellManager.runCommand(command).flatMap(output -> {
+                if (output.contains("VersionTooOld")) {
                     return Mono.error(LoggingUtil.logCredentialUnavailableException(LOGGER, options,
                         new CredentialUnavailableException("Az.Account module with version >= 2.2.0 is not installed. "
-                                                           + "It needs to be installed to use Azure PowerShell "
-                                                           + "Credential.")));
+                            + "It needs to be installed to use Azure PowerShell "
+                            + "Credential.")));
                 }
 
-                LOGGER.verbose("Az.accounts module was found installed.");
-                String command = "Get-AzAccessToken -ResourceUrl '"
-                    + scope
-                    + "' | ConvertTo-Json";
-                LOGGER.verbose("Azure Powershell Authentication => Executing the command `{}` in Azure "
-                               + "Powershell to retrieve the Access Token.", command);
+                if (output.contains("Run Connect-AzAccount to login")) {
+                    return Mono.error(LoggingUtil.logCredentialUnavailableException(LOGGER, options,
+                        new CredentialUnavailableException(
+                            "Run Connect-AzAccount to login to Azure account in PowerShell.")));
+                }
 
-                return powershellManager.runCommand(command).flatMap(out -> {
-                    if (out.contains("Run Connect-AzAccount to login")) {
-                        return Mono.error(LoggingUtil.logCredentialUnavailableException(LOGGER, options,
-                            new CredentialUnavailableException(
-                                "Run Connect-AzAccount to login to Azure account in PowerShell.")));
-                    }
 
-                    try {
-                        LOGGER.verbose("Azure Powershell Authentication => Attempting to deserialize the "
-                                       + "received response from Azure Powershell.");
-                        Map<String, String> objectMap = SERIALIZER_ADAPTER.deserialize(out, Map.class,
-                            SerializerEncoding.JSON);
-                        String accessToken = objectMap.get("Token");
-                        String time = objectMap.get("ExpiresOn");
-                        OffsetDateTime expiresOn = OffsetDateTime.parse(time).withOffsetSameInstant(ZoneOffset.UTC);
-                        return Mono.just(new AccessToken(accessToken, expiresOn));
-                    } catch (IOException e) {
-                        return Mono.error(LoggingUtil.logCredentialUnavailableException(LOGGER, options,
-                            new CredentialUnavailableException(
-                                "Encountered error when deserializing response from Azure Power Shell.", e)));
-                    }
-                });
+                try {
+                    Map<String, String> objectMap = SERIALIZER_ADAPTER.deserialize(output, Map.class,
+                        SerializerEncoding.JSON);
+                    String accessToken = objectMap.get("Token");
+                    String time = objectMap.get("ExpiresOn");
+                    OffsetDateTime expiresOn = OffsetDateTime.parse(time).withOffsetSameInstant(ZoneOffset.UTC);
+                    return Mono.just(new AccessToken(accessToken, expiresOn));
+                } catch (IOException e) {
+                    return Mono.error(LoggingUtil.logCredentialUnavailableException(LOGGER, options,
+                        new CredentialUnavailableException(
+                            "Encountered error when deserializing response from Azure Power Shell.", e)));
+                }
             });
         });
     }
diff --git a/sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/PowershellManager.java b/sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/PowershellManager.java
@@ -11,6 +11,7 @@
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
 import java.util.concurrent.TimeUnit;
 
 public class PowershellManager {
@@ -33,6 +34,7 @@ public Mono<String> runCommand(String input) {
             try {
                 String[] command = getCommandLine(input);
 
+
                 ProcessBuilder processBuilder = new ProcessBuilder(command);
                 processBuilder.redirectErrorStream(true);
                 Process process = processBuilder.start();
@@ -53,8 +55,10 @@ public Mono<String> runCommand(String input) {
     }
 
     String[] getCommandLine(String input) {
+        String base64Input = java.util.Base64.getEncoder().encodeToString(input.getBytes(StandardCharsets.UTF_16LE));
+
         return Platform.isWindows()
-            ? new String[]{powershellPath, "-Command", "-NoProfile", input}
-            : new String[]{"/bin/bash", "-c", String.format("%s -NoProfile -Command '%s'", powershellPath, input)};
+            ? new String[]{powershellPath, "-NoProfile", "-EncodedCommand", base64Input}
+            : new String[]{"/bin/bash", "-c", String.format("%s -NoProfile -EncodedCommand '%s'", powershellPath, base64Input)};
     }
 }
