diff --git a/sdk/identity/azure-identity/CHANGELOG.md b/sdk/identity/azure-identity/CHANGELOG.md index ba324f2c110a..ba5cd58502bf 100644 --- a/sdk/identity/azure-identity/CHANGELOG.md +++ b/sdk/identity/azure-identity/CHANGELOG.md @@ -4,6 +4,21 @@ ### Breaking Changes - Renamed optional `CertificateCredential` keyword argument `send_certificate` to `send_certificate_chain` +- Removed application authentication APIs added in prior betas. These will be + reintroduced in 1.6.0b1. Passing the keyword arguments below + generally won't cause a runtime error, but the arguments have no effect. + - Removed `authenticate` method from `DeviceCodeCredential`, + `InteractiveBrowserCredential`, and `UsernamePasswordCredential` + - Removed `allow_unencrypted_cache` and `enable_persistent_cache` keyword + arguments from `CertificateCredential`, `ClientSecretCredential`, + `DeviceCodeCredential`, `InteractiveBrowserCredential`, and + `UsernamePasswordCredential` + - Removed `disable_automatic_authentication` keyword argument from + `DeviceCodeCredential` and `InteractiveBrowserCredential` + - Removed `allow_unencrypted_cache` keyword argument from + `SharedTokenCacheCredential` + - Removed classes `AuthenticationRecord` and `AuthenticationRequiredError` +- Removed `identity_config` keyword argument from `ManagedIdentityCredential` ### Changed - `DeviceCodeCredential` parameter `client_id` is now optional. When not @@ -47,7 +62,7 @@ ([#11346](https://github.com/Azure/azure-sdk-for-python/issues/11346)) - `DefaultAzureCredential` allows specifying the client ID of a user-assigned managed identity via keyword argument `managed_identity_client_id` - ([#12991](https://github.com/Azure/azure-sdk-for-python/issues/12991)) + ([#12991](https://github.com/Azure/azure-sdk-for-python/issues/12991)) - `CertificateCredential` supports Subject Name/Issuer authentication when created with `send_certificate=True`. The async `CertificateCredential` (`azure.identity.aio.CertificateCredential`) will support this in a @@ -63,7 +78,7 @@ ([#12696](https://github.com/Azure/azure-sdk-for-python/issues/12696)) - `InteractiveBrowserCredential` keyword argument `redirect_uri` enables authentication with a user-specified application having a custom redirect URI - ([#13344](https://github.com/Azure/azure-sdk-for-python/issues/13344)) + ([#13344](https://github.com/Azure/azure-sdk-for-python/issues/13344)) ### Breaking changes - Removed `authentication_record` keyword argument from the async diff --git a/sdk/identity/azure-identity/azure/identity/__init__.py b/sdk/identity/azure-identity/azure/identity/__init__.py index 3819005a9e63..a749d3510112 100644 --- a/sdk/identity/azure-identity/azure/identity/__init__.py +++ b/sdk/identity/azure-identity/azure/identity/__init__.py @@ -4,8 +4,7 @@ # ------------------------------------ """Credentials for Azure SDK clients.""" -from ._auth_record import AuthenticationRecord -from ._exceptions import AuthenticationRequiredError, CredentialUnavailableError +from ._exceptions import CredentialUnavailableError from ._constants import AzureAuthorityHosts, KnownAuthorities from ._credentials import ( AzureCliCredential, @@ -25,8 +24,6 @@ __all__ = [ - "AuthenticationRecord", - "AuthenticationRequiredError", "AuthorizationCodeCredential", "AzureAuthorityHosts", "AzureCliCredential", diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/app_service.py b/sdk/identity/azure-identity/azure/identity/_credentials/app_service.py index 4ef34b766dd3..fa1ce61eec61 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/app_service.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/app_service.py @@ -48,7 +48,7 @@ def _request_token(self, *scopes, **kwargs): def _get_client_args(**kwargs): # type: (dict) -> Optional[dict] - identity_config = kwargs.pop("identity_config", None) or {} + identity_config = kwargs.pop("_identity_config", None) or {} url = os.environ.get(EnvironmentVariables.MSI_ENDPOINT) secret = os.environ.get(EnvironmentVariables.MSI_SECRET) diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/browser.py b/sdk/identity/azure-identity/azure/identity/_credentials/browser.py index 97d4104d41b2..5649acd008a1 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/browser.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/browser.py @@ -40,13 +40,6 @@ class InteractiveBrowserCredential(InteractiveCredential): Active Directory, for example "http://localhost:8400". This is only required when passing a value for `client_id`, and must match a redirect URI in the application's registration. The credential must be able to bind a socket to this URI. - :keyword AuthenticationRecord authentication_record: :class:`AuthenticationRecord` returned by :func:`authenticate` - :keyword bool disable_automatic_authentication: if True, :func:`get_token` will raise - :class:`AuthenticationRequiredError` when user interaction is required to acquire a token. Defaults to False. - :keyword bool enable_persistent_cache: if True, the credential will store tokens in a persistent cache shared by - other user credentials. Defaults to False. - :keyword bool allow_unencrypted_cache: if True, the credential will fall back to a plaintext cache on platforms - where encryption is unavailable. Default to False. Has no effect when `enable_persistent_cache` is False. :keyword int timeout: seconds to wait for the user to complete authentication. Defaults to 300 (5 minutes). """ diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/certificate.py b/sdk/identity/azure-identity/azure/identity/_credentials/certificate.py index 49fc06ee0f67..520f3e2a6cc5 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/certificate.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/certificate.py @@ -33,10 +33,6 @@ class CertificateCredential(ClientCredentialBase): :keyword bool send_certificate_chain: if True, the credential will send the public certificate chain in the x5c header of each token request's JWT. This is required for Subject Name/Issuer (SNI) authentication. Defaults to False. - :keyword bool enable_persistent_cache: if True, the credential will store tokens in a persistent cache. Defaults to - False. - :keyword bool allow_unencrypted_cache: if True, the credential will fall back to a plaintext cache when encryption - is unavailable. Default to False. Has no effect when `enable_persistent_cache` is False. """ def __init__(self, tenant_id, client_id, certificate_path, **kwargs): diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/client_secret.py b/sdk/identity/azure-identity/azure/identity/_credentials/client_secret.py index 311a6f1ef3e8..c6a871f92ca9 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/client_secret.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/client_secret.py @@ -21,10 +21,6 @@ class ClientSecretCredential(ClientCredentialBase): :keyword str authority: Authority of an Azure Active Directory endpoint, for example 'login.microsoftonline.com', the authority for Azure Public Cloud (which is the default). :class:`~azure.identity.AzureAuthorityHosts` defines authorities for other clouds. - :keyword bool enable_persistent_cache: if True, the credential will store tokens in a persistent cache. Defaults to - False. - :keyword bool allow_unencrypted_cache: if True, the credential will fall back to a plaintext cache when encryption - is unavailable. Default to False. Has no effect when `enable_persistent_cache` is False. """ def __init__(self, tenant_id, client_id, client_secret, **kwargs): diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/device_code.py b/sdk/identity/azure-identity/azure/identity/_credentials/device_code.py index 8ac86bb9c0d8..7bd4644718b3 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/device_code.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/device_code.py @@ -48,13 +48,6 @@ class DeviceCodeCredential(InteractiveCredential): - ``expires_on`` (datetime.datetime) the UTC time at which the code will expire If this argument isn't provided, the credential will print instructions to stdout. :paramtype prompt_callback: Callable[str, str, ~datetime.datetime] - :keyword AuthenticationRecord authentication_record: :class:`AuthenticationRecord` returned by :func:`authenticate` - :keyword bool disable_automatic_authentication: if True, :func:`get_token` will raise - :class:`AuthenticationRequiredError` when user interaction is required to acquire a token. Defaults to False. - :keyword bool enable_persistent_cache: if True, the credential will store tokens in a persistent cache shared by - other user credentials. Defaults to False. - :keyword bool allow_unencrypted_cache: if True, the credential will fall back to a plaintext cache on platforms - where encryption is unavailable. Default to False. Has no effect when `enable_persistent_cache` is False. """ def __init__(self, client_id=DEVELOPER_SIGN_ON_CLIENT_ID, **kwargs): diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/managed_identity.py b/sdk/identity/azure-identity/azure/identity/_credentials/managed_identity.py index a5aace15c792..2de47bdaa42e 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/managed_identity.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/managed_identity.py @@ -44,10 +44,6 @@ class ManagedIdentityCredential(object): the keyword arguments. :keyword str client_id: a user-assigned identity's client ID. This is supported in all hosting environments. - :keyword identity_config: a mapping ``{parameter_name: value}`` specifying a user-assigned identity by its object - or resource ID, for example ``{"object_id": "..."}``. Check the documentation for your hosting environment to - learn what values it expects. - :paramtype identity_config: Mapping[str, str] """ def __init__(self, **kwargs): @@ -95,7 +91,7 @@ def get_token(self, *scopes, **kwargs): class _ManagedIdentityBase(object): def __init__(self, endpoint, client_cls, config=None, client_id=None, **kwargs): # type: (str, Type, Optional[Configuration], Optional[str], **Any) -> None - self._identity_config = kwargs.pop("identity_config", None) or {} + self._identity_config = kwargs.pop("_identity_config", None) or {} if client_id: if os.environ.get(EnvironmentVariables.MSI_ENDPOINT) and os.environ.get(EnvironmentVariables.MSI_SECRET): # App Service: version 2017-09-1 accepts client ID as parameter "clientid" diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/shared_cache.py b/sdk/identity/azure-identity/azure/identity/_credentials/shared_cache.py index e36a4c1edffe..daaa48d89e1b 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/shared_cache.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/shared_cache.py @@ -24,7 +24,7 @@ if TYPE_CHECKING: # pylint:disable=unused-import,ungrouped-imports from typing import Any, Optional - from .. import AuthenticationRecord + from .._auth_record import AuthenticationRecord from .._internal import AadClientBase @@ -40,16 +40,12 @@ class SharedTokenCacheCredential(SharedTokenCacheBase): defines authorities for other clouds. :keyword str tenant_id: an Azure Active Directory tenant ID. Used to select an account when the cache contains tokens for multiple identities. - :keyword AuthenticationRecord authentication_record: an authentication record returned by a user credential such as - :class:`DeviceCodeCredential` or :class:`InteractiveBrowserCredential` - :keyword bool allow_unencrypted_cache: if True, the credential will fall back to a plaintext cache when encryption - is unavailable. Defaults to False. """ def __init__(self, username=None, **kwargs): # type: (Optional[str], **Any) -> None - self._auth_record = kwargs.pop("authentication_record", None) # type: Optional[AuthenticationRecord] + self._auth_record = kwargs.pop("_authentication_record", None) # type: Optional[AuthenticationRecord] if self._auth_record: # authenticate in the tenant that produced the record unless "tenant_id" specifies another self._tenant_id = kwargs.pop("tenant_id", None) or self._auth_record.tenant_id diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/user_password.py b/sdk/identity/azure-identity/azure/identity/_credentials/user_password.py index 1c6c1b3561d6..a5636855a6e1 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/user_password.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/user_password.py @@ -33,10 +33,6 @@ class UsernamePasswordCredential(InteractiveCredential): defines authorities for other clouds. :keyword str tenant_id: tenant ID or a domain associated with a tenant. If not provided, defaults to the 'organizations' tenant, which supports only Azure Active Directory work or school accounts. - :keyword bool enable_persistent_cache: if True, the credential will store tokens in a persistent cache shared by - other user credentials. Defaults to False. - :keyword bool allow_unencrypted_cache: if True, the credential will fall back to a plaintext cache on platforms - where encryption is unavailable. Default to False. Has no effect when `enable_persistent_cache` is False. """ def __init__(self, client_id, username, password, **kwargs): @@ -46,7 +42,7 @@ def __init__(self, client_id, username, password, **kwargs): # first time it's asked for a token. However, we want to ensure this first authentication is not silent, to # validate the given password. This class therefore doesn't document the authentication_record argument, and we # discard it here. - kwargs.pop("authentication_record", None) + kwargs.pop("_authentication_record", None) super(UsernamePasswordCredential, self).__init__(client_id=client_id, **kwargs) self._username = username self._password = password diff --git a/sdk/identity/azure-identity/azure/identity/_internal/certificate_credential_base.py b/sdk/identity/azure-identity/azure/identity/_internal/certificate_credential_base.py index 32524d3d5682..7b1170dddecf 100644 --- a/sdk/identity/azure-identity/azure/identity/_internal/certificate_credential_base.py +++ b/sdk/identity/azure-identity/azure/identity/_internal/certificate_credential_base.py @@ -46,9 +46,9 @@ def __init__(self, tenant_id, client_id, certificate_path, **kwargs): self._certificate = AadClientCertificate(pem_bytes, password=password) - enable_persistent_cache = kwargs.pop("enable_persistent_cache", False) - if enable_persistent_cache: - allow_unencrypted = kwargs.pop("allow_unencrypted_cache", False) + _enable_persistent_cache = kwargs.pop("_enable_persistent_cache", False) + if _enable_persistent_cache: + allow_unencrypted = kwargs.pop("_allow_unencrypted_cache", False) cache = load_service_principal_cache(allow_unencrypted) else: cache = TokenCache() diff --git a/sdk/identity/azure-identity/azure/identity/_internal/client_credential_base.py b/sdk/identity/azure-identity/azure/identity/_internal/client_credential_base.py index 68fc0df801ea..7d8b88920613 100644 --- a/sdk/identity/azure-identity/azure/identity/_internal/client_credential_base.py +++ b/sdk/identity/azure-identity/azure/identity/_internal/client_credential_base.py @@ -23,8 +23,8 @@ class ClientCredentialBase(MsalCredential, GetTokenMixin): """Base class for credentials authenticating a service principal with a certificate or secret""" def __init__(self, **kwargs): - if kwargs.pop("enable_persistent_cache", False): - allow_unencrypted = kwargs.pop("allow_unencrypted_cache", False) + if kwargs.pop("_enable_persistent_cache", False): + allow_unencrypted = kwargs.pop("_allow_unencrypted_cache", False) cache = load_service_principal_cache(allow_unencrypted) else: cache = msal.TokenCache() diff --git a/sdk/identity/azure-identity/azure/identity/_internal/client_secret_credential_base.py b/sdk/identity/azure-identity/azure/identity/_internal/client_secret_credential_base.py index 204b9a52ee51..6af19577ed24 100644 --- a/sdk/identity/azure-identity/azure/identity/_internal/client_secret_credential_base.py +++ b/sdk/identity/azure-identity/azure/identity/_internal/client_secret_credential_base.py @@ -33,9 +33,9 @@ def __init__(self, tenant_id, client_id, client_secret, **kwargs): ) validate_tenant_id(tenant_id) - enable_persistent_cache = kwargs.pop("enable_persistent_cache", False) - if enable_persistent_cache: - allow_unencrypted = kwargs.pop("allow_unencrypted_cache", False) + _enable_persistent_cache = kwargs.pop("_enable_persistent_cache", False) + if _enable_persistent_cache: + allow_unencrypted = kwargs.pop("_allow_unencrypted_cache", False) cache = load_service_principal_cache(allow_unencrypted) else: cache = TokenCache() diff --git a/sdk/identity/azure-identity/azure/identity/_internal/interactive.py b/sdk/identity/azure-identity/azure/identity/_internal/interactive.py index 333a884e80e4..8bf446ee5064 100644 --- a/sdk/identity/azure-identity/azure/identity/_internal/interactive.py +++ b/sdk/identity/azure-identity/azure/identity/_internal/interactive.py @@ -82,8 +82,8 @@ def _build_auth_record(response): class InteractiveCredential(MsalCredential): def __init__(self, **kwargs): - self._disable_automatic_authentication = kwargs.pop("disable_automatic_authentication", False) - self._auth_record = kwargs.pop("authentication_record", None) # type: Optional[AuthenticationRecord] + self._disable_automatic_authentication = kwargs.pop("_disable_automatic_authentication", False) + self._auth_record = kwargs.pop("_authentication_record", None) # type: Optional[AuthenticationRecord] if self._auth_record: kwargs.pop("client_id", None) # authentication_record overrides client_id argument tenant_id = kwargs.pop("tenant_id", None) or self._auth_record.tenant_id @@ -108,8 +108,6 @@ def get_token(self, *scopes, **kwargs): required data, state, or platform support :raises ~azure.core.exceptions.ClientAuthenticationError: authentication failed. The error's ``message`` attribute gives a reason. - :raises AuthenticationRequiredError: user interaction is necessary to acquire a token, and the credential is - configured not to begin this automatically. Call :func:`authenticate` to begin interactive authentication. """ if not scopes: message = "'get_token' requires at least one scope" @@ -151,7 +149,7 @@ def get_token(self, *scopes, **kwargs): _LOGGER.info("%s.get_token succeeded", self.__class__.__name__) return AccessToken(result["access_token"], now + int(result["expires_in"])) - def authenticate(self, **kwargs): + def _authenticate(self, **kwargs): # type: (**Any) -> AuthenticationRecord """Interactively authenticate a user. diff --git a/sdk/identity/azure-identity/azure/identity/_internal/msal_credentials.py b/sdk/identity/azure-identity/azure/identity/_internal/msal_credentials.py index bb8437453031..8fd47ee20075 100644 --- a/sdk/identity/azure-identity/azure/identity/_internal/msal_credentials.py +++ b/sdk/identity/azure-identity/azure/identity/_internal/msal_credentials.py @@ -40,8 +40,8 @@ def __init__(self, client_id, client_credential=None, **kwargs): self._cache = kwargs.pop("_cache", None) # internal, for use in tests if not self._cache: - if kwargs.pop("enable_persistent_cache", False): - allow_unencrypted = kwargs.pop("allow_unencrypted_cache", False) + if kwargs.pop("_enable_persistent_cache", False): + allow_unencrypted = kwargs.pop("_allow_unencrypted_cache", False) self._cache = load_user_cache(allow_unencrypted) else: self._cache = msal.TokenCache() diff --git a/sdk/identity/azure-identity/azure/identity/_internal/shared_token_cache.py b/sdk/identity/azure-identity/azure/identity/_internal/shared_token_cache.py index 11d42936cd57..8aa991c4d28b 100644 --- a/sdk/identity/azure-identity/azure/identity/_internal/shared_token_cache.py +++ b/sdk/identity/azure-identity/azure/identity/_internal/shared_token_cache.py @@ -112,7 +112,7 @@ def _initialize(self): def _load_cache(self): if not self._cache and self.supported(): - allow_unencrypted = self._client_kwargs.get("allow_unencrypted_cache", False) + allow_unencrypted = self._client_kwargs.get("_allow_unencrypted_cache", True) try: self._cache = load_user_cache(allow_unencrypted) except Exception: # pylint:disable=broad-except diff --git a/sdk/identity/azure-identity/azure/identity/aio/_credentials/client_secret.py b/sdk/identity/azure-identity/azure/identity/aio/_credentials/client_secret.py index b83ac21dba5b..6ad7d3ec2972 100644 --- a/sdk/identity/azure-identity/azure/identity/aio/_credentials/client_secret.py +++ b/sdk/identity/azure-identity/azure/identity/aio/_credentials/client_secret.py @@ -23,10 +23,6 @@ class ClientSecretCredential(AsyncContextManager, ClientSecretCredentialBase): :keyword str authority: Authority of an Azure Active Directory endpoint, for example 'login.microsoftonline.com', the authority for Azure Public Cloud (which is the default). :class:`~azure.identity.AzureAuthorityHosts` defines authorities for other clouds. - :keyword bool enable_persistent_cache: if True, the credential will store tokens in a persistent cache. Defaults to - False. - :keyword bool allow_unencrypted_cache: if True, the credential will fall back to a plaintext cache when encryption - is unavailable. Default to False. Has no effect when `enable_persistent_cache` is False. """ async def __aenter__(self): diff --git a/sdk/identity/azure-identity/azure/identity/aio/_credentials/managed_identity.py b/sdk/identity/azure-identity/azure/identity/aio/_credentials/managed_identity.py index aad7bd4b3ba1..2c3eeedc0c51 100644 --- a/sdk/identity/azure-identity/azure/identity/aio/_credentials/managed_identity.py +++ b/sdk/identity/azure-identity/azure/identity/aio/_credentials/managed_identity.py @@ -32,10 +32,6 @@ class ManagedIdentityCredential(AsyncContextManager): the keyword arguments. :keyword str client_id: a user-assigned identity's client ID. This is supported in all hosting environments. - :keyword identity_config: a mapping ``{parameter_name: value}`` specifying a user-assigned identity by its object - or resource ID, for example ``{"object_id": "..."}``. Check the documentation for your hosting environment to - learn what values it expects. - :paramtype identity_config: Mapping[str, str] """ def __init__(self, **kwargs: "Any") -> None: diff --git a/sdk/identity/azure-identity/azure/identity/aio/_credentials/shared_cache.py b/sdk/identity/azure-identity/azure/identity/aio/_credentials/shared_cache.py index a34d56042970..86fc662801a2 100644 --- a/sdk/identity/azure-identity/azure/identity/aio/_credentials/shared_cache.py +++ b/sdk/identity/azure-identity/azure/identity/aio/_credentials/shared_cache.py @@ -29,8 +29,6 @@ class SharedTokenCacheCredential(SharedTokenCacheBase, AsyncContextManager): defines authorities for other clouds. :keyword str tenant_id: an Azure Active Directory tenant ID. Used to select an account when the cache contains tokens for multiple identities. - :keyword bool allow_unencrypted_cache: if True, the credential will fall back to a plaintext cache when encryption - is unavailable. Defaults to False. """ async def __aenter__(self): diff --git a/sdk/identity/azure-identity/samples/README.md b/sdk/identity/azure-identity/samples/README.md index ab61f28e7cc6..72d6c19fa39f 100644 --- a/sdk/identity/azure-identity/samples/README.md +++ b/sdk/identity/azure-identity/samples/README.md @@ -12,14 +12,8 @@ urlFragment: identity-samples ## Prerequisites -You must have an [Azure subscription](https://azure.microsoft.com/free) and an -[Azure Key Vault](https://azure.microsoft.com/services/key-vault/) to run -these samples. You can create a Key Vault in the -[Azure Portal](https://portal.azure.com/#create/Microsoft.KeyVault) or with the -[Azure CLI](https://docs.microsoft.com/azure/key-vault/secrets/quick-create-cli). - -Azure Key Vault is used only to demonstrate authentication. Azure Identity has -the same API for all compatible client libraries. +You must have an [Azure subscription](https://azure.microsoft.com/free) to run +these samples. ## Setup @@ -27,12 +21,10 @@ To run these samples, first install the Azure Identity and Key Vault Secrets client libraries: ```commandline -pip install azure-identity azure-keyvault-secrets +pip install azure-identity ``` ## Contents | File | Description | |-------------|-------------| -| control_interactive_prompts.py | demonstrates controlling when interactive credentials prompt for user interaction | | custom_credentials.py | demonstrates custom credential implementation | -| user_authentication.py | demonstrates user authentication API for applications | diff --git a/sdk/identity/azure-identity/samples/control_interactive_prompts.py b/sdk/identity/azure-identity/samples/control_interactive_prompts.py deleted file mode 100644 index 10dabf65e9d2..000000000000 --- a/sdk/identity/azure-identity/samples/control_interactive_prompts.py +++ /dev/null @@ -1,38 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -"""Demonstrates controlling the timing of interactive authentication using InteractiveBrowserCredential. - -DeviceCodeCredential supports the same API. -""" - -import os -import sys -from azure.identity import AuthenticationRequiredError, InteractiveBrowserCredential -from azure.keyvault.secrets import SecretClient - - -# This sample uses Key Vault only for demonstration. Any client accepting azure-identity credentials will work the same. -VAULT_URL = os.environ.get("VAULT_URL") -if not VAULT_URL: - print("This sample expects environment variable 'VAULT_URL' to be set with the URL of a Key Vault.") - sys.exit(1) - - -# If it's important for your application to prompt for authentication only at certain times, -# create the credential with disable_automatic_authentication=True. This configures the credential to raise -# when interactive authentication is required, instead of immediately beginning that authentication. -credential = InteractiveBrowserCredential(disable_automatic_authentication=True) -client = SecretClient(VAULT_URL, credential) - -try: - secret_names = [s.name for s in client.list_properties_of_secrets()] -except AuthenticationRequiredError as ex: - # Interactive authentication is necessary to authorize the client's request. The exception carries the - # requested authentication scopes. If you pass these to 'authenticate', it will cache an access token - # for those scopes. - credential.authenticate(scopes=ex.scopes) - -# the client operation should now succeed -secret_names = [s.name for s in client.list_properties_of_secrets()] diff --git a/sdk/identity/azure-identity/samples/user_authentication.py b/sdk/identity/azure-identity/samples/user_authentication.py deleted file mode 100644 index 2c21c2a44973..000000000000 --- a/sdk/identity/azure-identity/samples/user_authentication.py +++ /dev/null @@ -1,43 +0,0 @@ -# ------------------------------------ -# Copyright (c) Microsoft Corporation. -# Licensed under the MIT License. -# ------------------------------------ -"""Demonstrates user authentication using InteractiveBrowserCredential. DeviceCodeCredential supports the same API.""" - -import os -import sys -from azure.identity import AuthenticationRecord, InteractiveBrowserCredential -from azure.keyvault.secrets import SecretClient - - -# This sample uses Key Vault only for demonstration. Any client accepting azure-identity credentials will work the same. -VAULT_URL = os.environ.get("VAULT_URL") -if not VAULT_URL: - print("This sample expects environment variable 'VAULT_URL' to be set with the URL of a Key Vault.") - sys.exit(1) - - -# Persistent caching is optional. By default, interactive credentials cache in memory only. -credential = InteractiveBrowserCredential(enable_persistent_cache=True) - -# The 'authenticate' method begins interactive authentication. Call it whenever it's convenient -# for your application to authenticate a user. It returns a record of the authentication. -record = credential.authenticate() - -# The record contains no authentication secrets. You can serialize it to JSON for storage. -record_json = record.serialize() - -# An authenticated credential is ready for use with a client. This request should succeed -# without prompting for authentication again. -client = SecretClient(VAULT_URL, credential) -secret_names = [s.name for s in client.list_properties_of_secrets()] - -# With persistent caching enabled, an authentication record stored by your application enables -# credentials to access data from past authentications. If the cache contains sufficient data, -# this eliminates the need for your application to prompt for authentication every time it runs. -deserialized_record = AuthenticationRecord.deserialize(record_json) -new_credential = InteractiveBrowserCredential(enable_persistent_cache=True, authentication_record=deserialized_record) - -# This request should also succeed without prompting for authentication. -client = SecretClient(VAULT_URL, new_credential) -secret_names = [s.name for s in client.list_properties_of_secrets()] diff --git a/sdk/identity/azure-identity/tests/test_auth_record.py b/sdk/identity/azure-identity/tests/test_auth_record.py index 5daef9c5dec4..5b4ec83d6da2 100644 --- a/sdk/identity/azure-identity/tests/test_auth_record.py +++ b/sdk/identity/azure-identity/tests/test_auth_record.py @@ -4,7 +4,7 @@ # ------------------------------------ import json -from azure.identity import AuthenticationRecord +from azure.identity._auth_record import AuthenticationRecord def test_serialization(): diff --git a/sdk/identity/azure-identity/tests/test_browser_credential.py b/sdk/identity/azure-identity/tests/test_browser_credential.py index 29b02e01ea63..500006325f40 100644 --- a/sdk/identity/azure-identity/tests/test_browser_credential.py +++ b/sdk/identity/azure-identity/tests/test_browser_credential.py @@ -10,7 +10,8 @@ from azure.core.exceptions import ClientAuthenticationError from azure.core.pipeline.policies import SansIOHTTPPolicy -from azure.identity import AuthenticationRequiredError, CredentialUnavailableError, InteractiveBrowserCredential +from azure.identity import CredentialUnavailableError, InteractiveBrowserCredential +from azure.identity._exceptions import AuthenticationRequiredError from azure.identity._internal import AuthCodeRedirectServer from azure.identity._internal.user_agent import USER_AGENT from msal import TokenCache @@ -95,7 +96,7 @@ def test_authenticate(): tenant_id=tenant_id, transport=transport, ) - record = credential.authenticate(scopes=(scope,)) + record = credential._authenticate(scopes=(scope,)) assert record.authority == environment assert record.home_account_id == object_id + "." + home_tenant @@ -114,7 +115,7 @@ def test_disable_automatic_authentication(): empty_cache = TokenCache() # empty cache makes silent auth impossible transport = Mock(send=Mock(side_effect=Exception("no request should be sent"))) credential = InteractiveBrowserCredential( - disable_automatic_authentication=True, transport=transport, _cache=empty_cache + _disable_automatic_authentication=True, transport=transport, _cache=empty_cache ) with patch(WEBBROWSER_OPEN, Mock(side_effect=Exception("credential shouldn't try interactive authentication"))): diff --git a/sdk/identity/azure-identity/tests/test_certificate_credential.py b/sdk/identity/azure-identity/tests/test_certificate_credential.py index d8562fd36094..0f502aa6a54c 100644 --- a/sdk/identity/azure-identity/tests/test_certificate_credential.py +++ b/sdk/identity/azure-identity/tests/test_certificate_credential.py @@ -197,7 +197,7 @@ def validate_jwt(request, client_id, pem_bytes, expect_x5c=False): @pytest.mark.parametrize("cert_path,cert_password", BOTH_CERTS) def test_enable_persistent_cache(cert_path, cert_password): - """the credential should use the persistent cache only when given enable_persistent_cache=True""" + """the credential should use the persistent cache only when given _enable_persistent_cache=True""" persistent_cache = "azure.identity._internal.persistent_cache" required_arguments = ("tenant-id", "client-id", cert_path) @@ -208,20 +208,20 @@ def test_enable_persistent_cache(cert_path, cert_password): CertificateCredential(*required_arguments, password=cert_password) # allowing an unencrypted cache doesn't count as opting in to the persistent cache - CertificateCredential(*required_arguments, password=cert_password, allow_unencrypted_cache=True) + CertificateCredential(*required_arguments, password=cert_password, _allow_unencrypted_cache=True) # keyword argument opts in to persistent cache with patch(persistent_cache + ".msal_extensions") as mock_extensions: - CertificateCredential(*required_arguments, password=cert_password, enable_persistent_cache=True) + CertificateCredential(*required_arguments, password=cert_password, _enable_persistent_cache=True) assert mock_extensions.PersistedTokenCache.call_count == 1 # opting in on an unsupported platform raises an exception with patch(persistent_cache + ".sys.platform", "commodore64"): with pytest.raises(NotImplementedError): - CertificateCredential(*required_arguments, password=cert_password, enable_persistent_cache=True) + CertificateCredential(*required_arguments, password=cert_password, _enable_persistent_cache=True) with pytest.raises(NotImplementedError): CertificateCredential( - *required_arguments, password=cert_password, enable_persistent_cache=True, allow_unencrypted_cache=True + *required_arguments, password=cert_password, _enable_persistent_cache=True, _allow_unencrypted_cache=True ) @@ -238,7 +238,7 @@ def test_persistent_cache_linux(mock_extensions, cert_path, cert_password): # the credential should prefer an encrypted cache even when the user allows an unencrypted one CertificateCredential( - *required_arguments, password=cert_password, enable_persistent_cache=True, allow_unencrypted_cache=True + *required_arguments, password=cert_password, _enable_persistent_cache=True, _allow_unencrypted_cache=True ) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.LibsecretPersistence) mock_extensions.PersistedTokenCache.reset_mock() @@ -248,10 +248,10 @@ def test_persistent_cache_linux(mock_extensions, cert_path, cert_password): # encryption unavailable, no opt in to unencrypted cache -> credential should raise with pytest.raises(ValueError): - CertificateCredential(*required_arguments, password=cert_password, enable_persistent_cache=True) + CertificateCredential(*required_arguments, password=cert_password, _enable_persistent_cache=True) CertificateCredential( - *required_arguments, password=cert_password, enable_persistent_cache=True, allow_unencrypted_cache=True + *required_arguments, password=cert_password, _enable_persistent_cache=True, _allow_unencrypted_cache=True ) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.FilePersistence) @@ -273,11 +273,11 @@ def test_persistent_cache_multiple_clients(cert_path, cert_password): with patch("azure.identity._internal.persistent_cache._load_persistent_cache") as mock_cache_loader: mock_cache_loader.return_value = Mock(wraps=cache) credential_a = CertificateCredential( - "tenant", "client-a", cert_path, password=cert_password, enable_persistent_cache=True, transport=transport_a + "tenant", "client-a", cert_path, password=cert_password, _enable_persistent_cache=True, transport=transport_a ) assert mock_cache_loader.call_count == 1, "credential should load the persistent cache" credential_b = CertificateCredential( - "tenant", "client-b", cert_path, password=cert_password, enable_persistent_cache=True, transport=transport_b + "tenant", "client-b", cert_path, password=cert_password, _enable_persistent_cache=True, transport=transport_b ) assert mock_cache_loader.call_count == 2, "credential should load the persistent cache" diff --git a/sdk/identity/azure-identity/tests/test_certificate_credential_async.py b/sdk/identity/azure-identity/tests/test_certificate_credential_async.py index 973994be2b9c..fed6f12a4be1 100644 --- a/sdk/identity/azure-identity/tests/test_certificate_credential_async.py +++ b/sdk/identity/azure-identity/tests/test_certificate_credential_async.py @@ -151,7 +151,7 @@ async def mock_send(request, **kwargs): @pytest.mark.parametrize("cert_path,cert_password", BOTH_CERTS) def test_enable_persistent_cache(cert_path, cert_password): - """the credential should use the persistent cache only when given enable_persistent_cache=True""" + """the credential should use the persistent cache only when given _enable_persistent_cache=True""" persistent_cache = "azure.identity._internal.persistent_cache" required_arguments = ("tenant-id", "client-id", cert_path) @@ -162,20 +162,20 @@ def test_enable_persistent_cache(cert_path, cert_password): CertificateCredential(*required_arguments, password=cert_password) # allowing an unencrypted cache doesn't count as opting in to the persistent cache - CertificateCredential(*required_arguments, password=cert_password, allow_unencrypted_cache=True) + CertificateCredential(*required_arguments, password=cert_password, _allow_unencrypted_cache=True) # keyword argument opts in to persistent cache with patch(persistent_cache + ".msal_extensions") as mock_extensions: - CertificateCredential(*required_arguments, password=cert_password, enable_persistent_cache=True) + CertificateCredential(*required_arguments, password=cert_password, _enable_persistent_cache=True) assert mock_extensions.PersistedTokenCache.call_count == 1 # opting in on an unsupported platform raises an exception with patch(persistent_cache + ".sys.platform", "commodore64"): with pytest.raises(NotImplementedError): - CertificateCredential(*required_arguments, password=cert_password, enable_persistent_cache=True) + CertificateCredential(*required_arguments, password=cert_password, _enable_persistent_cache=True) with pytest.raises(NotImplementedError): CertificateCredential( - *required_arguments, password=cert_password, enable_persistent_cache=True, allow_unencrypted_cache=True + *required_arguments, password=cert_password, _enable_persistent_cache=True, _allow_unencrypted_cache=True ) @@ -192,7 +192,7 @@ def test_persistent_cache_linux(mock_extensions, cert_path, cert_password): # the credential should prefer an encrypted cache even when the user allows an unencrypted one CertificateCredential( - *required_arguments, password=cert_password, enable_persistent_cache=True, allow_unencrypted_cache=True + *required_arguments, password=cert_password, _enable_persistent_cache=True, _allow_unencrypted_cache=True ) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.LibsecretPersistence) mock_extensions.PersistedTokenCache.reset_mock() @@ -202,10 +202,10 @@ def test_persistent_cache_linux(mock_extensions, cert_path, cert_password): # encryption unavailable, no opt in to unencrypted cache -> credential should raise with pytest.raises(ValueError): - CertificateCredential(*required_arguments, password=cert_password, enable_persistent_cache=True) + CertificateCredential(*required_arguments, password=cert_password, _enable_persistent_cache=True) CertificateCredential( - *required_arguments, password=cert_password, enable_persistent_cache=True, allow_unencrypted_cache=True + *required_arguments, password=cert_password, _enable_persistent_cache=True, _allow_unencrypted_cache=True ) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.FilePersistence) @@ -228,11 +228,11 @@ async def test_persistent_cache_multiple_clients(cert_path, cert_password): with patch("azure.identity._internal.persistent_cache._load_persistent_cache") as mock_cache_loader: mock_cache_loader.return_value = Mock(wraps=cache) credential_a = CertificateCredential( - "tenant", "client-a", cert_path, password=cert_password, enable_persistent_cache=True, transport=transport_a + "tenant", "client-a", cert_path, password=cert_password, _enable_persistent_cache=True, transport=transport_a ) assert mock_cache_loader.call_count == 1, "credential should load the persistent cache" credential_b = CertificateCredential( - "tenant", "client-b", cert_path, password=cert_password, enable_persistent_cache=True, transport=transport_b + "tenant", "client-b", cert_path, password=cert_password, _enable_persistent_cache=True, transport=transport_b ) assert mock_cache_loader.call_count == 2, "credential should load the persistent cache" diff --git a/sdk/identity/azure-identity/tests/test_client_secret_credential.py b/sdk/identity/azure-identity/tests/test_client_secret_credential.py index 2e651c1924a0..9944a40e9ff6 100644 --- a/sdk/identity/azure-identity/tests/test_client_secret_credential.py +++ b/sdk/identity/azure-identity/tests/test_client_secret_credential.py @@ -118,7 +118,7 @@ def test_authority(authority): def test_enable_persistent_cache(): - """the credential should use the persistent cache only when given enable_persistent_cache=True""" + """the credential should use the persistent cache only when given _enable_persistent_cache=True""" required_arguments = ("tenant-id", "client-id", "secret") persistent_cache = "azure.identity._internal.persistent_cache" @@ -129,19 +129,19 @@ def test_enable_persistent_cache(): ClientSecretCredential(*required_arguments) # allowing an unencrypted cache doesn't count as opting in to the persistent cache - ClientSecretCredential(*required_arguments, allow_unencrypted_cache=True) + ClientSecretCredential(*required_arguments, _allow_unencrypted_cache=True) # keyword argument opts in to persistent cache with patch(persistent_cache + ".msal_extensions") as mock_extensions: - ClientSecretCredential(*required_arguments, enable_persistent_cache=True) + ClientSecretCredential(*required_arguments, _enable_persistent_cache=True) assert mock_extensions.PersistedTokenCache.call_count == 1 # opting in on an unsupported platform raises an exception with patch(persistent_cache + ".sys.platform", "commodore64"): with pytest.raises(NotImplementedError): - ClientSecretCredential(*required_arguments, enable_persistent_cache=True) + ClientSecretCredential(*required_arguments, _enable_persistent_cache=True) with pytest.raises(NotImplementedError): - ClientSecretCredential(*required_arguments, enable_persistent_cache=True, allow_unencrypted_cache=True) + ClientSecretCredential(*required_arguments, _enable_persistent_cache=True, _allow_unencrypted_cache=True) @patch("azure.identity._internal.persistent_cache.sys.platform", "linux2") @@ -155,7 +155,7 @@ def test_persistent_cache_linux(mock_extensions): required_arguments = ("tenant-id", "client-id", "secret") # the credential should prefer an encrypted cache even when the user allows an unencrypted one - ClientSecretCredential(*required_arguments, enable_persistent_cache=True, allow_unencrypted_cache=True) + ClientSecretCredential(*required_arguments, _enable_persistent_cache=True, _allow_unencrypted_cache=True) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.LibsecretPersistence) mock_extensions.PersistedTokenCache.reset_mock() @@ -164,9 +164,9 @@ def test_persistent_cache_linux(mock_extensions): # encryption unavailable, no opt in to unencrypted cache -> credential should raise with pytest.raises(ValueError): - ClientSecretCredential(*required_arguments, enable_persistent_cache=True) + ClientSecretCredential(*required_arguments, _enable_persistent_cache=True) - ClientSecretCredential(*required_arguments, enable_persistent_cache=True, allow_unencrypted_cache=True) + ClientSecretCredential(*required_arguments, _enable_persistent_cache=True, _allow_unencrypted_cache=True) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.FilePersistence) @@ -186,11 +186,11 @@ def test_persistent_cache_multiple_clients(): with patch("azure.identity._internal.persistent_cache._load_persistent_cache") as mock_cache_loader: mock_cache_loader.return_value = Mock(wraps=cache) credential_a = ClientSecretCredential( - "tenant-id", "client-a", "...", enable_persistent_cache=True, transport=transport_a + "tenant-id", "client-a", "...", _enable_persistent_cache=True, transport=transport_a ) assert mock_cache_loader.call_count == 1, "credential should load the persistent cache" credential_b = ClientSecretCredential( - "tenant-id", "client-b", "...", enable_persistent_cache=True, transport=transport_b + "tenant-id", "client-b", "...", _enable_persistent_cache=True, transport=transport_b ) assert mock_cache_loader.call_count == 2, "credential should load the persistent cache" diff --git a/sdk/identity/azure-identity/tests/test_client_secret_credential_async.py b/sdk/identity/azure-identity/tests/test_client_secret_credential_async.py index 3c0bdd231941..6ae2d0adba18 100644 --- a/sdk/identity/azure-identity/tests/test_client_secret_credential_async.py +++ b/sdk/identity/azure-identity/tests/test_client_secret_credential_async.py @@ -186,7 +186,7 @@ async def test_cache(): def test_enable_persistent_cache(): - """the credential should use the persistent cache only when given enable_persistent_cache=True""" + """the credential should use the persistent cache only when given _enable_persistent_cache=True""" required_arguments = ("tenant-id", "client-id", "secret") persistent_cache = "azure.identity._internal.persistent_cache" @@ -197,19 +197,19 @@ def test_enable_persistent_cache(): ClientSecretCredential(*required_arguments) # allowing an unencrypted cache doesn't count as opting in to the persistent cache - ClientSecretCredential(*required_arguments, allow_unencrypted_cache=True) + ClientSecretCredential(*required_arguments, _allow_unencrypted_cache=True) # keyword argument opts in to persistent cache with patch(persistent_cache + ".msal_extensions") as mock_extensions: - ClientSecretCredential(*required_arguments, enable_persistent_cache=True) + ClientSecretCredential(*required_arguments, _enable_persistent_cache=True) assert mock_extensions.PersistedTokenCache.call_count == 1 # opting in on an unsupported platform raises an exception with patch(persistent_cache + ".sys.platform", "commodore64"): with pytest.raises(NotImplementedError): - ClientSecretCredential(*required_arguments, enable_persistent_cache=True) + ClientSecretCredential(*required_arguments, _enable_persistent_cache=True) with pytest.raises(NotImplementedError): - ClientSecretCredential(*required_arguments, enable_persistent_cache=True, allow_unencrypted_cache=True) + ClientSecretCredential(*required_arguments, _enable_persistent_cache=True, _allow_unencrypted_cache=True) @patch("azure.identity._internal.persistent_cache.sys.platform", "linux2") @@ -223,7 +223,7 @@ def test_persistent_cache_linux(mock_extensions): required_arguments = ("tenant-id", "client-id", "secret") # the credential should prefer an encrypted cache even when the user allows an unencrypted one - ClientSecretCredential(*required_arguments, enable_persistent_cache=True, allow_unencrypted_cache=True) + ClientSecretCredential(*required_arguments, _enable_persistent_cache=True, _allow_unencrypted_cache=True) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.LibsecretPersistence) mock_extensions.PersistedTokenCache.reset_mock() @@ -232,9 +232,9 @@ def test_persistent_cache_linux(mock_extensions): # encryption unavailable, no opt in to unencrypted cache -> credential should raise with pytest.raises(ValueError): - ClientSecretCredential(*required_arguments, enable_persistent_cache=True) + ClientSecretCredential(*required_arguments, _enable_persistent_cache=True) - ClientSecretCredential(*required_arguments, enable_persistent_cache=True, allow_unencrypted_cache=True) + ClientSecretCredential(*required_arguments, _enable_persistent_cache=True, _allow_unencrypted_cache=True) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.FilePersistence) @@ -255,11 +255,11 @@ async def test_persistent_cache_multiple_clients(): with patch("azure.identity._internal.persistent_cache._load_persistent_cache") as mock_cache_loader: mock_cache_loader.return_value = Mock(wraps=cache) credential_a = ClientSecretCredential( - "tenant-id", "client-a", "...", enable_persistent_cache=True, transport=transport_a + "tenant-id", "client-a", "...", _enable_persistent_cache=True, transport=transport_a ) assert mock_cache_loader.call_count == 1, "credential should load the persistent cache" credential_b = ClientSecretCredential( - "tenant-id", "client-b", "...", enable_persistent_cache=True, transport=transport_b + "tenant-id", "client-b", "...", _enable_persistent_cache=True, transport=transport_b ) assert mock_cache_loader.call_count == 2, "credential should load the persistent cache" diff --git a/sdk/identity/azure-identity/tests/test_device_code_credential.py b/sdk/identity/azure-identity/tests/test_device_code_credential.py index ec2615570995..48761174a2ca 100644 --- a/sdk/identity/azure-identity/tests/test_device_code_credential.py +++ b/sdk/identity/azure-identity/tests/test_device_code_credential.py @@ -6,7 +6,8 @@ from azure.core.exceptions import ClientAuthenticationError from azure.core.pipeline.policies import SansIOHTTPPolicy -from azure.identity import AuthenticationRequiredError, DeviceCodeCredential +from azure.identity import DeviceCodeCredential +from azure.identity._exceptions import AuthenticationRequiredError from azure.identity._internal.user_agent import USER_AGENT from msal import TokenCache import pytest @@ -90,7 +91,7 @@ def test_authenticate(): tenant_id=tenant_id, _cache=TokenCache(), ) - record = credential.authenticate(scopes=(scope,)) + record = credential._authenticate(scopes=(scope,)) assert record.authority == environment assert record.home_account_id == object_id + "." + home_tenant assert record.tenant_id == home_tenant @@ -107,7 +108,7 @@ def test_disable_automatic_authentication(): empty_cache = TokenCache() # empty cache makes silent auth impossible transport = Mock(send=Mock(side_effect=Exception("no request should be sent"))) credential = DeviceCodeCredential( - "client-id", disable_automatic_authentication=True, transport=transport, _cache=empty_cache + "client-id", _disable_automatic_authentication=True, transport=transport, _cache=empty_cache ) with pytest.raises(AuthenticationRequiredError): diff --git a/sdk/identity/azure-identity/tests/test_imds_credential.py b/sdk/identity/azure-identity/tests/test_imds_credential.py index 95f53088b11a..8b040b769f55 100644 --- a/sdk/identity/azure-identity/tests/test_imds_credential.py +++ b/sdk/identity/azure-identity/tests/test_imds_credential.py @@ -169,7 +169,7 @@ def test_identity_config(): ], ) - credential = ImdsCredential(identity_config={param_name: param_value}, transport=transport) + credential = ImdsCredential(_identity_config={param_name: param_value}, transport=transport) token = credential.get_token(scope) assert token == expected_token diff --git a/sdk/identity/azure-identity/tests/test_imds_credential_async.py b/sdk/identity/azure-identity/tests/test_imds_credential_async.py index a4d056f399fc..8c42e643a855 100644 --- a/sdk/identity/azure-identity/tests/test_imds_credential_async.py +++ b/sdk/identity/azure-identity/tests/test_imds_credential_async.py @@ -198,7 +198,7 @@ async def test_identity_config(): ], ) - credential = ImdsCredential(client_id=client_id, identity_config={param_name: param_value}, transport=transport) + credential = ImdsCredential(client_id=client_id, _identity_config={param_name: param_value}, transport=transport) token = await credential.get_token(scope) assert token == expected_token diff --git a/sdk/identity/azure-identity/tests/test_interactive_credential.py b/sdk/identity/azure-identity/tests/test_interactive_credential.py index a708b7c2c9fc..f8f725275af2 100644 --- a/sdk/identity/azure-identity/tests/test_interactive_credential.py +++ b/sdk/identity/azure-identity/tests/test_interactive_credential.py @@ -4,11 +4,11 @@ # ------------------------------------ from azure.core.exceptions import ClientAuthenticationError from azure.identity import ( - AuthenticationRequiredError, - AuthenticationRecord, KnownAuthorities, CredentialUnavailableError, ) +from azure.identity._auth_record import AuthenticationRecord +from azure.identity._exceptions import AuthenticationRequiredError from azure.identity._internal import InteractiveCredential from msal import TokenCache import pytest @@ -81,7 +81,7 @@ def validate_app_parameters(authority, client_id, **_): app_factory = Mock(wraps=validate_app_parameters) credential = MockCredential( - authentication_record=record, disable_automatic_authentication=True, msal_app_factory=app_factory, + _authentication_record=record, _disable_automatic_authentication=True, msal_app_factory=app_factory, ) with pytest.raises(AuthenticationRequiredError): credential.get_token("scope") @@ -104,9 +104,9 @@ def validate_authority(authority, **_): return Mock(get_accounts=Mock(return_value=[])) credential = MockCredential( - authentication_record=record, + _authentication_record=record, tenant_id=expected_tenant, - disable_automatic_authentication=True, + _disable_automatic_authentication=True, msal_app_factory=validate_authority, ) with pytest.raises(AuthenticationRequiredError): @@ -124,8 +124,8 @@ def test_disable_automatic_authentication(): ) credential = MockCredential( - authentication_record=record, - disable_automatic_authentication=True, + _authentication_record=record, + _disable_automatic_authentication=True, msal_app_factory=lambda *_, **__: msal_app, request_token=Mock(side_effect=Exception("credential shouldn't begin interactive authentication")), ) @@ -149,11 +149,11 @@ def validate_scopes(*scopes, **_): return REQUEST_TOKEN_RESULT request_token = Mock(wraps=validate_scopes) - credential = MockCredential(disable_automatic_authentication=True, request_token=request_token) + credential = MockCredential(_disable_automatic_authentication=True, request_token=request_token) with pytest.raises(AuthenticationRequiredError) as ex: credential.get_token(scope) - credential.authenticate(scopes=ex.value.scopes) + credential._authenticate(scopes=ex.value.scopes) assert request_token.call_count == 1, "validation method wasn't called" @@ -175,7 +175,7 @@ def validate_scopes(*scopes): return REQUEST_TOKEN_RESULT request_token = Mock(wraps=validate_scopes) - MockCredential(authority=authority, request_token=request_token).authenticate() + MockCredential(authority=authority, request_token=request_token)._authenticate() assert request_token.call_count == 1 @@ -183,7 +183,7 @@ def test_authenticate_unknown_cloud(): """authenticate should raise when given no scopes in an unknown cloud""" with pytest.raises(CredentialUnavailableError): - MockCredential(authority="localhost").authenticate() + MockCredential(authority="localhost")._authenticate() @pytest.mark.parametrize("option", (True, False)) @@ -191,7 +191,7 @@ def test_authenticate_ignores_disable_automatic_authentication(option): """authenticate should prompt for authentication regardless of the credential's configuration""" request_token = Mock(return_value=REQUEST_TOKEN_RESULT) - MockCredential(request_token=request_token, disable_automatic_authentication=option).authenticate() + MockCredential(request_token=request_token, _disable_automatic_authentication=option)._authenticate() assert request_token.call_count == 1, "credential didn't begin interactive authentication" @@ -207,7 +207,7 @@ class CustomException(Exception): acquire_token_silent_with_error=Mock(side_effect=CustomException(expected_message)), get_accounts=Mock(return_value=[{"home_account_id": record.home_account_id}]), ) - credential = MockCredential(msal_app_factory=lambda *_, **__: msal_app, authentication_record=record) + credential = MockCredential(msal_app_factory=lambda *_, **__: msal_app, _authentication_record=record) with pytest.raises(ClientAuthenticationError) as ex: credential.get_token("scope") @@ -216,7 +216,7 @@ class CustomException(Exception): def test_enable_persistent_cache(): - """the credential should use the persistent cache only when given enable_persistent_cache=True""" + """the credential should use the persistent cache only when given _enable_persistent_cache=True""" class TestCredential(InteractiveCredential): def __init__(self, **kwargs): @@ -237,20 +237,20 @@ def _request_token(self, *_, **__): assert credential._cache is in_memory_cache # allowing an unencrypted cache doesn't count as opting in to the persistent cache - credential = TestCredential(allow_unencrypted_cache=True) + credential = TestCredential(_allow_unencrypted_cache=True) assert credential._cache is in_memory_cache # keyword argument opts in to persistent cache with patch(persistent_cache + ".msal_extensions") as mock_extensions: - TestCredential(enable_persistent_cache=True) + TestCredential(_enable_persistent_cache=True) assert mock_extensions.PersistedTokenCache.call_count == 1 # opting in on an unsupported platform raises an exception with patch(persistent_cache + ".sys.platform", "commodore64"): with pytest.raises(NotImplementedError): - TestCredential(enable_persistent_cache=True) + TestCredential(_enable_persistent_cache=True) with pytest.raises(NotImplementedError): - TestCredential(enable_persistent_cache=True, allow_unencrypted_cache=True) + TestCredential(_enable_persistent_cache=True, _allow_unencrypted_cache=True) @patch("azure.identity._internal.persistent_cache.sys.platform", "linux2") @@ -269,7 +269,7 @@ def _request_token(self, *_, **__): pass # the credential should prefer an encrypted cache even when the user allows an unencrypted one - TestCredential(enable_persistent_cache=True, allow_unencrypted_cache=True) + TestCredential(_enable_persistent_cache=True, _allow_unencrypted_cache=True) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.LibsecretPersistence) mock_extensions.PersistedTokenCache.reset_mock() @@ -278,9 +278,9 @@ def _request_token(self, *_, **__): # encryption unavailable, no opt in to unencrypted cache -> credential should raise with pytest.raises(ValueError): - TestCredential(enable_persistent_cache=True) + TestCredential(_enable_persistent_cache=True) - TestCredential(enable_persistent_cache=True, allow_unencrypted_cache=True) + TestCredential(_enable_persistent_cache=True, _allow_unencrypted_cache=True) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.FilePersistence) @@ -306,7 +306,7 @@ def __init__(self, **kwargs): def _request_token(self, *_, **__): return msal_response - record = TestCredential().authenticate() + record = TestCredential()._authenticate() assert record.home_account_id == "{}.{}".format(object_id, home_tenant) @@ -334,7 +334,7 @@ def __init__(self, **kwargs): def _request_token(self, *_, **__): return msal_response - record = TestCredential().authenticate() + record = TestCredential()._authenticate() assert record.authority == authority assert record.home_account_id == subject assert record.tenant_id == tenant diff --git a/sdk/identity/azure-identity/tests/test_msi_credential.py b/sdk/identity/azure-identity/tests/test_msi_credential.py index 7536688774e2..28f67a357790 100644 --- a/sdk/identity/azure-identity/tests/test_msi_credential.py +++ b/sdk/identity/azure-identity/tests/test_msi_credential.py @@ -68,7 +68,7 @@ def test_identity_config_app_service(): {EnvironmentVariables.MSI_ENDPOINT: endpoint, EnvironmentVariables.MSI_SECRET: secret}, clear=True, ): - credential = MsiCredential(identity_config={param_name: param_value}, transport=transport) + credential = MsiCredential(_identity_config={param_name: param_value}, transport=transport) token = credential.get_token(scope) assert token == expected_token @@ -107,7 +107,7 @@ def test_identity_config_cloud_shell(): with mock.patch.dict( MsiCredential.__module__ + ".os.environ", {EnvironmentVariables.MSI_ENDPOINT: endpoint}, clear=True ): - credential = MsiCredential(identity_config={param_name: param_value}, transport=transport) + credential = MsiCredential(_identity_config={param_name: param_value}, transport=transport) token = credential.get_token(scope) assert token == expected_token diff --git a/sdk/identity/azure-identity/tests/test_msi_credential_async.py b/sdk/identity/azure-identity/tests/test_msi_credential_async.py index dfa038963536..b9ff2bf114f8 100644 --- a/sdk/identity/azure-identity/tests/test_msi_credential_async.py +++ b/sdk/identity/azure-identity/tests/test_msi_credential_async.py @@ -96,7 +96,7 @@ async def test_identity_config_app_service(): {EnvironmentVariables.MSI_ENDPOINT: endpoint, EnvironmentVariables.MSI_SECRET: secret}, clear=True, ): - credential = MsiCredential(identity_config={param_name: param_value}, transport=transport) + credential = MsiCredential(_identity_config={param_name: param_value}, transport=transport) token = await credential.get_token(scope) assert token == expected_token @@ -135,7 +135,7 @@ async def test_identity_config_cloud_shell(): with mock.patch.dict( MsiCredential.__module__ + ".os.environ", {EnvironmentVariables.MSI_ENDPOINT: endpoint}, clear=True ): - credential = MsiCredential(identity_config={param_name: param_value}, transport=transport) + credential = MsiCredential(_identity_config={param_name: param_value}, transport=transport) token = await credential.get_token(scope) assert token == expected_token diff --git a/sdk/identity/azure-identity/tests/test_shared_cache_credential.py b/sdk/identity/azure-identity/tests/test_shared_cache_credential.py index 9634fe8dced6..f8a4b97b1109 100644 --- a/sdk/identity/azure-identity/tests/test_shared_cache_credential.py +++ b/sdk/identity/azure-identity/tests/test_shared_cache_credential.py @@ -5,10 +5,10 @@ from azure.core.exceptions import ClientAuthenticationError from azure.core.pipeline.policies import SansIOHTTPPolicy from azure.identity import ( - AuthenticationRecord, CredentialUnavailableError, SharedTokenCacheCredential, ) +from azure.identity._auth_record import AuthenticationRecord from azure.identity._constants import DEVELOPER_SIGN_ON_CLIENT_ID, EnvironmentVariables from azure.identity._internal.shared_token_cache import ( KNOWN_ALIASES, @@ -45,16 +45,16 @@ def test_tenant_id_validation(): valid_ids = {"c878a2ab-8ef4-413b-83a0-199afb84d7fb", "contoso.onmicrosoft.com", "organizations", "common"} for tenant in valid_ids: record = AuthenticationRecord(tenant, "client-id", "authority", "home.account.id", "username") - SharedTokenCacheCredential(authentication_record=record) - SharedTokenCacheCredential(authentication_record=record, tenant_id=tenant) + SharedTokenCacheCredential(_authentication_record=record) + SharedTokenCacheCredential(_authentication_record=record, tenant_id=tenant) invalid_ids = {"", "my tenant", "my_tenant", "/", "\\", '"my-tenant"', "'my-tenant'"} for tenant in invalid_ids: record = AuthenticationRecord(tenant, "client-id", "authority", "home.account.id", "username") with pytest.raises(ValueError): - SharedTokenCacheCredential(authentication_record=record) + SharedTokenCacheCredential(_authentication_record=record) with pytest.raises(ValueError): - SharedTokenCacheCredential(authentication_record=record, tenant_id=tenant) + SharedTokenCacheCredential(_authentication_record=record, tenant_id=tenant) def test_supported(): @@ -546,7 +546,7 @@ def send(request, **_): return get_discovery_response() credential = SharedTokenCacheCredential( - authentication_record=record, transport=Mock(send=send), _cache=TokenCache() + _authentication_record=record, transport=Mock(send=send), _cache=TokenCache() ) with pytest.raises(CredentialUnavailableError): @@ -572,7 +572,7 @@ def send(request, **_): "not-" + username, "not-" + object_id, "different-" + tenant_id, client_id="not-" + client_id, ), ) - credential = SharedTokenCacheCredential(authentication_record=record, transport=Mock(send=send), _cache=cache) + credential = SharedTokenCacheCredential(_authentication_record=record, transport=Mock(send=send), _cache=cache) with pytest.raises(CredentialUnavailableError): credential.get_token("scope") @@ -599,7 +599,7 @@ def test_authentication_record(): requests=[Request(authority=authority, required_data={"refresh_token": expected_refresh_token})], responses=[mock_response(json_payload=build_aad_response(access_token=expected_access_token))], ) - credential = SharedTokenCacheCredential(authentication_record=record, transport=transport, _cache=cache) + credential = SharedTokenCacheCredential(_authentication_record=record, transport=transport, _cache=cache) token = credential.get_token("scope") assert token.token == expected_access_token @@ -636,12 +636,13 @@ def test_auth_record_multiple_accounts_for_username(): requests=[Request(authority=authority, required_data={"refresh_token": expected_refresh_token})], responses=[mock_response(json_payload=build_aad_response(access_token=expected_access_token))], ) - credential = SharedTokenCacheCredential(authentication_record=record, transport=transport, _cache=cache) + credential = SharedTokenCacheCredential(_authentication_record=record, transport=transport, _cache=cache) token = credential.get_token("scope") assert token.token == expected_access_token +@pytest.mark.skip("in 1.5.0 allow_unencrypted_cache is private and defaults to True") @patch("azure.identity._internal.persistent_cache.sys.platform", "linux2") @patch("azure.identity._internal.persistent_cache.msal_extensions") def test_allow_unencrypted_cache(mock_extensions): @@ -792,7 +793,7 @@ def mock_send(request, **_): transport = Mock(send=Mock(wraps=mock_send)) credential = SharedTokenCacheCredential( - authentication_record=record, _cache=TokenCache(), tenant_id=expected_tenant_id, transport=transport + _authentication_record=record, _cache=TokenCache(), tenant_id=expected_tenant_id, transport=transport ) with pytest.raises(CredentialUnavailableError): credential.get_token("scope") # this raises because the cache is empty diff --git a/sdk/identity/azure-identity/tests/test_shared_cache_credential_async.py b/sdk/identity/azure-identity/tests/test_shared_cache_credential_async.py index 7613200e97ee..4599be446126 100644 --- a/sdk/identity/azure-identity/tests/test_shared_cache_credential_async.py +++ b/sdk/identity/azure-identity/tests/test_shared_cache_credential_async.py @@ -589,6 +589,7 @@ async def test_authority_environment_variable(): assert token.token == expected_access_token +@pytest.mark.skip("in 1.5.0 allow_unencrypted_cache is private and defaults to True") @pytest.mark.asyncio async def test_allow_unencrypted_cache(): """The credential should use an unencrypted cache when encryption is unavailable and the user explicitly allows it. diff --git a/sdk/identity/azure-identity/tests/test_username_password_credential.py b/sdk/identity/azure-identity/tests/test_username_password_credential.py index ffa529163209..ac19fa813a73 100644 --- a/sdk/identity/azure-identity/tests/test_username_password_credential.py +++ b/sdk/identity/azure-identity/tests/test_username_password_credential.py @@ -136,7 +136,7 @@ def test_authenticate(): tenant_id=tenant_id, transport=transport, ) - record = credential.authenticate(scopes=(scope,)) + record = credential._authenticate(scopes=(scope,)) assert record.authority == environment assert record.home_account_id == object_id + "." + home_tenant assert record.tenant_id == home_tenant