[Identity] Azure Arc, Fabric and ManagedIdentityCredential refactoring

[sadasant]

This PR does the following:

1. Simplifies the workflow of ManagedIdentityCredential, fixing [Identity] Refactor Managed Identity Credential #11653
2. Implements caching on the managed credential so that we only verify which MSI is available once per instance of this class. There's no issue for this, but this is necessary to align with .Net
3. Adds Azure Arc support, fixing Azure.Identity Support for Managed Identity for Azure Arc Applications #10235
4. Adds Azure Fabric support, fixing Azure.Identity Support for Managed Identity for Service Fabric Applications #10238

Simplifies the workflow of ManagedIdentityCredential

This is now how we pick what MSI credential is available:

const MSIs = [appServiceMsi2019, appServiceMsi2017, arcMsi, cloudShellMsi, imdsMsi];

for (const msi of MSIs) {
  if (await msi.isAvailable(this.identityClient, resource, clientId, getTokenOptions)) {
    this.cachedMSI = msi;
    return msi;
  }
}

Shows the order of verification more clearly. Reduces the complexity of the credential.

Implements caching on the managed credential

The managed credential was verifying the availability of the MSIs on each request - except for the IMDS one, which had a very weird flow with a stateful boolean value that was passed through from method to method.

Instead of doing that, the first time we authenticate we define what MSI is available, and subsequent calls won't run any validation.

This aligns with .Net.

Adds Azure Arc support

This PR also showcases the refactoring by how simple it is to add a new MSI to the main ManagedIdentityCredential class.

The notes on how I was able to write and test the Arc MSI are here: https://gist.github.com/sadasant/888dc7e88543a21ee7061997984dd207

The change on the ManagedIdentityCredential consists of adding arcMsi to the array of MSIs used inside of the cachedAvailableMSI function.

There's an important note on how I'm currently validating this environment here: link.

---

I'll leave this PR as draft until we find the time to do an internal review, then I'll move it out of draft.

Fixes #11653
Fixes #10235

New:
Fixes #11595
Fixes #10238
Closes #12164
Fixes #12058

[sophiajt]

@sadasant - this definitely feels complete enough to move to being a full PR and to pull in folks who have worked on Arc on other languages for their feedback.

Thanks for taking the time to work on the refactor. The code felt readable and I was able to track where this new functionality was being added and could see where it was related to existing functionality.

[sadasant]

This PR also fixes #11595. I'm not exactly clear why. I haven't had the time to dig through the previous code to see why. I tested as many times as I could think of with and without these changes and these changes definitely fix #11595.

[sophiajt]

This looks good. I commented that we're currently removing the 2019 MSI support because it seems to cause issues with some services (#12058)

cc @schaabs for confirmation.

Other than that, I think this is ready from my perspective.

[sophiajt]

Called fs-mock here ^

[sadasant]

thanks!

[sophiajt]

Left some comments, but this looks pretty good

[laiapat]

Looking really good so far! This is a lot of great work 👍

[check-enforcer]

This pull request is protected by Check Enforcer.

What is Check Enforcer?

Check Enforcer helps ensure all pull requests are covered by at least one check-run (typically an Azure Pipeline). When all check-runs associated with this pull request pass then Check Enforcer itself will pass.

Why am I getting this message?

You are getting this message because Check Enforcer did not detect any check-runs being associated with this pull request within five minutes. This may indicate that your pull request is not covered by any pipelines and so Check Enforcer is correctly blocking the pull request being merged.

What should I do now?

If the check-enforcer check-run is not passing and all other check-runs associated with this PR are passing (excluding license-cla) then you could try telling Check Enforcer to evaluate your pull request again. You can do this by adding a comment to this pull request as follows:
/check-enforcer evaluate
Typically evaulation only takes a few seconds. If you know that your pull request is not covered by a pipeline and this is expected you can override Check Enforcer using the following command:
/check-enforcer override
Note that using the override command triggers alerts so that follow-up investigations can occur (PRs still need to be approved as normal).

What if I am onboarding a new service?

Often, new services do not have validation pipelines associated with them, in order to bootstrap pipelines for a new service, you can issue the following command as a pull request comment:
/azp run prepare-pipelines
This will run a pipeline that analyzes the source tree and creates the pipelines necessary to build and validate your pull request. Once the pipeline has been created you can trigger the pipeline using the following comment:
/azp run js - [service] - ci

[laiapat]

Service Fabric side looks good! 🎉

[chlowell]

Looks good to me.

[chlowell]

Well, the endpoint is available. If it has no assigned identity, it will respond 400 to a token request. Looks like getToken would throw CredentialUnavailable in that case?

[sadasant]

If getToken raises a 400 error, it will bubble up to this point: #11807 (comment)

Where we throw CredentialUnavailable!

How does that sound?

[sadasant]

I'm asking more information about this through Teams. In any case, the changes related to any retry policy will happen through a separate issue and PR.

[catalinaperalta]

It might be helpful to users to return some info from the response from the service in the error. I'm wondering if it could have some useful information, for instance something like a malformed request or missing parameter.

[sadasant]

I'll do that! thank you!

[catalinaperalta]

The Arc MSI support looks good to me!

[ghost]

Hello @sadasant!

Because this pull request has the auto-merge label, I will be glad to assist with helping to merge this pull request once all check-in policies pass.

p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (@msftbot) and give me an instruction to get started! Learn more here.