diff --git a/sdk/identity/azure-identity/azure/identity/__init__.py b/sdk/identity/azure-identity/azure/identity/__init__.py index a749d3510112..3819005a9e63 100644 --- a/sdk/identity/azure-identity/azure/identity/__init__.py +++ b/sdk/identity/azure-identity/azure/identity/__init__.py @@ -4,7 +4,8 @@ # ------------------------------------ """Credentials for Azure SDK clients.""" -from ._exceptions import CredentialUnavailableError +from ._auth_record import AuthenticationRecord +from ._exceptions import AuthenticationRequiredError, CredentialUnavailableError from ._constants import AzureAuthorityHosts, KnownAuthorities from ._credentials import ( AzureCliCredential, @@ -24,6 +25,8 @@ __all__ = [ + "AuthenticationRecord", + "AuthenticationRequiredError", "AuthorizationCodeCredential", "AzureAuthorityHosts", "AzureCliCredential", diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/app_service.py b/sdk/identity/azure-identity/azure/identity/_credentials/app_service.py index fa1ce61eec61..4ef34b766dd3 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/app_service.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/app_service.py @@ -48,7 +48,7 @@ def _request_token(self, *scopes, **kwargs): def _get_client_args(**kwargs): # type: (dict) -> Optional[dict] - identity_config = kwargs.pop("_identity_config", None) or {} + identity_config = kwargs.pop("identity_config", None) or {} url = os.environ.get(EnvironmentVariables.MSI_ENDPOINT) secret = os.environ.get(EnvironmentVariables.MSI_SECRET) diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/browser.py b/sdk/identity/azure-identity/azure/identity/_credentials/browser.py index c2f11a9fa304..cbb8194d7882 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/browser.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/browser.py @@ -40,6 +40,13 @@ class InteractiveBrowserCredential(InteractiveCredential): Active Directory, for example "http://localhost:8400". This is only required when passing a value for `client_id`, and must match a redirect URI in the application's registration. The credential must be able to bind a socket to this URI. + :keyword AuthenticationRecord authentication_record: :class:`AuthenticationRecord` returned by :func:`authenticate` + :keyword bool disable_automatic_authentication: if True, :func:`get_token` will raise + :class:`AuthenticationRequiredError` when user interaction is required to acquire a token. Defaults to False. + :keyword bool enable_persistent_cache: if True, the credential will store tokens in a persistent cache shared by + other user credentials. Defaults to False. + :keyword bool allow_unencrypted_cache: if True, the credential will fall back to a plaintext cache on platforms + where encryption is unavailable. Default to False. Has no effect when `enable_persistent_cache` is False. :keyword int timeout: seconds to wait for the user to complete authentication. Defaults to 300 (5 minutes). """ diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/certificate.py b/sdk/identity/azure-identity/azure/identity/_credentials/certificate.py index 520f3e2a6cc5..49fc06ee0f67 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/certificate.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/certificate.py @@ -33,6 +33,10 @@ class CertificateCredential(ClientCredentialBase): :keyword bool send_certificate_chain: if True, the credential will send the public certificate chain in the x5c header of each token request's JWT. This is required for Subject Name/Issuer (SNI) authentication. Defaults to False. + :keyword bool enable_persistent_cache: if True, the credential will store tokens in a persistent cache. Defaults to + False. + :keyword bool allow_unencrypted_cache: if True, the credential will fall back to a plaintext cache when encryption + is unavailable. Default to False. Has no effect when `enable_persistent_cache` is False. """ def __init__(self, tenant_id, client_id, certificate_path, **kwargs): diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/client_secret.py b/sdk/identity/azure-identity/azure/identity/_credentials/client_secret.py index c6a871f92ca9..311a6f1ef3e8 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/client_secret.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/client_secret.py @@ -21,6 +21,10 @@ class ClientSecretCredential(ClientCredentialBase): :keyword str authority: Authority of an Azure Active Directory endpoint, for example 'login.microsoftonline.com', the authority for Azure Public Cloud (which is the default). :class:`~azure.identity.AzureAuthorityHosts` defines authorities for other clouds. + :keyword bool enable_persistent_cache: if True, the credential will store tokens in a persistent cache. Defaults to + False. + :keyword bool allow_unencrypted_cache: if True, the credential will fall back to a plaintext cache when encryption + is unavailable. Default to False. Has no effect when `enable_persistent_cache` is False. """ def __init__(self, tenant_id, client_id, client_secret, **kwargs): diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/device_code.py b/sdk/identity/azure-identity/azure/identity/_credentials/device_code.py index 9be8475a8b7a..48b1d896dab3 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/device_code.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/device_code.py @@ -48,6 +48,13 @@ class DeviceCodeCredential(InteractiveCredential): - ``expires_on`` (datetime.datetime) the UTC time at which the code will expire If this argument isn't provided, the credential will print instructions to stdout. :paramtype prompt_callback: Callable[str, str, ~datetime.datetime] + :keyword AuthenticationRecord authentication_record: :class:`AuthenticationRecord` returned by :func:`authenticate` + :keyword bool disable_automatic_authentication: if True, :func:`get_token` will raise + :class:`AuthenticationRequiredError` when user interaction is required to acquire a token. Defaults to False. + :keyword bool enable_persistent_cache: if True, the credential will store tokens in a persistent cache shared by + other user credentials. Defaults to False. + :keyword bool allow_unencrypted_cache: if True, the credential will fall back to a plaintext cache on platforms + where encryption is unavailable. Default to False. Has no effect when `enable_persistent_cache` is False. """ def __init__(self, client_id=DEVELOPER_SIGN_ON_CLIENT_ID, **kwargs): diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/managed_identity.py b/sdk/identity/azure-identity/azure/identity/_credentials/managed_identity.py index a91b77ceb15d..7d52a5dcab48 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/managed_identity.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/managed_identity.py @@ -44,6 +44,10 @@ class ManagedIdentityCredential(object): the keyword arguments. :keyword str client_id: a user-assigned identity's client ID. This is supported in all hosting environments. + :keyword identity_config: a mapping ``{parameter_name: value}`` specifying a user-assigned identity by its object + or resource ID, for example ``{"object_id": "..."}``. Check the documentation for your hosting environment to + learn what values it expects. + :paramtype identity_config: Mapping[str, str] """ def __init__(self, **kwargs): @@ -96,7 +100,7 @@ def get_token(self, *scopes, **kwargs): class _ManagedIdentityBase(object): def __init__(self, endpoint, client_cls, config=None, client_id=None, **kwargs): # type: (str, Type, Optional[Configuration], Optional[str], **Any) -> None - self._identity_config = kwargs.pop("_identity_config", None) or {} + self._identity_config = kwargs.pop("identity_config", None) or {} if client_id: if os.environ.get(EnvironmentVariables.MSI_ENDPOINT) and os.environ.get(EnvironmentVariables.MSI_SECRET): # App Service: version 2017-09-1 accepts client ID as parameter "clientid" diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/shared_cache.py b/sdk/identity/azure-identity/azure/identity/_credentials/shared_cache.py index daaa48d89e1b..e36a4c1edffe 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/shared_cache.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/shared_cache.py @@ -24,7 +24,7 @@ if TYPE_CHECKING: # pylint:disable=unused-import,ungrouped-imports from typing import Any, Optional - from .._auth_record import AuthenticationRecord + from .. import AuthenticationRecord from .._internal import AadClientBase @@ -40,12 +40,16 @@ class SharedTokenCacheCredential(SharedTokenCacheBase): defines authorities for other clouds. :keyword str tenant_id: an Azure Active Directory tenant ID. Used to select an account when the cache contains tokens for multiple identities. + :keyword AuthenticationRecord authentication_record: an authentication record returned by a user credential such as + :class:`DeviceCodeCredential` or :class:`InteractiveBrowserCredential` + :keyword bool allow_unencrypted_cache: if True, the credential will fall back to a plaintext cache when encryption + is unavailable. Defaults to False. """ def __init__(self, username=None, **kwargs): # type: (Optional[str], **Any) -> None - self._auth_record = kwargs.pop("_authentication_record", None) # type: Optional[AuthenticationRecord] + self._auth_record = kwargs.pop("authentication_record", None) # type: Optional[AuthenticationRecord] if self._auth_record: # authenticate in the tenant that produced the record unless "tenant_id" specifies another self._tenant_id = kwargs.pop("tenant_id", None) or self._auth_record.tenant_id diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/user_password.py b/sdk/identity/azure-identity/azure/identity/_credentials/user_password.py index 793d926a4784..5c381a8f90bb 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/user_password.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/user_password.py @@ -33,6 +33,10 @@ class UsernamePasswordCredential(InteractiveCredential): defines authorities for other clouds. :keyword str tenant_id: tenant ID or a domain associated with a tenant. If not provided, defaults to the 'organizations' tenant, which supports only Azure Active Directory work or school accounts. + :keyword bool enable_persistent_cache: if True, the credential will store tokens in a persistent cache shared by + other user credentials. Defaults to False. + :keyword bool allow_unencrypted_cache: if True, the credential will fall back to a plaintext cache on platforms + where encryption is unavailable. Default to False. Has no effect when `enable_persistent_cache` is False. """ def __init__(self, client_id, username, password, **kwargs): @@ -42,7 +46,7 @@ def __init__(self, client_id, username, password, **kwargs): # first time it's asked for a token. However, we want to ensure this first authentication is not silent, to # validate the given password. This class therefore doesn't document the authentication_record argument, and we # discard it here. - kwargs.pop("_authentication_record", None) + kwargs.pop("authentication_record", None) super(UsernamePasswordCredential, self).__init__(client_id=client_id, **kwargs) self._username = username self._password = password diff --git a/sdk/identity/azure-identity/azure/identity/_internal/certificate_credential_base.py b/sdk/identity/azure-identity/azure/identity/_internal/certificate_credential_base.py index 7b1170dddecf..32524d3d5682 100644 --- a/sdk/identity/azure-identity/azure/identity/_internal/certificate_credential_base.py +++ b/sdk/identity/azure-identity/azure/identity/_internal/certificate_credential_base.py @@ -46,9 +46,9 @@ def __init__(self, tenant_id, client_id, certificate_path, **kwargs): self._certificate = AadClientCertificate(pem_bytes, password=password) - _enable_persistent_cache = kwargs.pop("_enable_persistent_cache", False) - if _enable_persistent_cache: - allow_unencrypted = kwargs.pop("_allow_unencrypted_cache", False) + enable_persistent_cache = kwargs.pop("enable_persistent_cache", False) + if enable_persistent_cache: + allow_unencrypted = kwargs.pop("allow_unencrypted_cache", False) cache = load_service_principal_cache(allow_unencrypted) else: cache = TokenCache() diff --git a/sdk/identity/azure-identity/azure/identity/_internal/client_credential_base.py b/sdk/identity/azure-identity/azure/identity/_internal/client_credential_base.py index 7d8b88920613..68fc0df801ea 100644 --- a/sdk/identity/azure-identity/azure/identity/_internal/client_credential_base.py +++ b/sdk/identity/azure-identity/azure/identity/_internal/client_credential_base.py @@ -23,8 +23,8 @@ class ClientCredentialBase(MsalCredential, GetTokenMixin): """Base class for credentials authenticating a service principal with a certificate or secret""" def __init__(self, **kwargs): - if kwargs.pop("_enable_persistent_cache", False): - allow_unencrypted = kwargs.pop("_allow_unencrypted_cache", False) + if kwargs.pop("enable_persistent_cache", False): + allow_unencrypted = kwargs.pop("allow_unencrypted_cache", False) cache = load_service_principal_cache(allow_unencrypted) else: cache = msal.TokenCache() diff --git a/sdk/identity/azure-identity/azure/identity/_internal/client_secret_credential_base.py b/sdk/identity/azure-identity/azure/identity/_internal/client_secret_credential_base.py index 6af19577ed24..204b9a52ee51 100644 --- a/sdk/identity/azure-identity/azure/identity/_internal/client_secret_credential_base.py +++ b/sdk/identity/azure-identity/azure/identity/_internal/client_secret_credential_base.py @@ -33,9 +33,9 @@ def __init__(self, tenant_id, client_id, client_secret, **kwargs): ) validate_tenant_id(tenant_id) - _enable_persistent_cache = kwargs.pop("_enable_persistent_cache", False) - if _enable_persistent_cache: - allow_unencrypted = kwargs.pop("_allow_unencrypted_cache", False) + enable_persistent_cache = kwargs.pop("enable_persistent_cache", False) + if enable_persistent_cache: + allow_unencrypted = kwargs.pop("allow_unencrypted_cache", False) cache = load_service_principal_cache(allow_unencrypted) else: cache = TokenCache() diff --git a/sdk/identity/azure-identity/azure/identity/_internal/interactive.py b/sdk/identity/azure-identity/azure/identity/_internal/interactive.py index 8bf446ee5064..333a884e80e4 100644 --- a/sdk/identity/azure-identity/azure/identity/_internal/interactive.py +++ b/sdk/identity/azure-identity/azure/identity/_internal/interactive.py @@ -82,8 +82,8 @@ def _build_auth_record(response): class InteractiveCredential(MsalCredential): def __init__(self, **kwargs): - self._disable_automatic_authentication = kwargs.pop("_disable_automatic_authentication", False) - self._auth_record = kwargs.pop("_authentication_record", None) # type: Optional[AuthenticationRecord] + self._disable_automatic_authentication = kwargs.pop("disable_automatic_authentication", False) + self._auth_record = kwargs.pop("authentication_record", None) # type: Optional[AuthenticationRecord] if self._auth_record: kwargs.pop("client_id", None) # authentication_record overrides client_id argument tenant_id = kwargs.pop("tenant_id", None) or self._auth_record.tenant_id @@ -108,6 +108,8 @@ def get_token(self, *scopes, **kwargs): required data, state, or platform support :raises ~azure.core.exceptions.ClientAuthenticationError: authentication failed. The error's ``message`` attribute gives a reason. + :raises AuthenticationRequiredError: user interaction is necessary to acquire a token, and the credential is + configured not to begin this automatically. Call :func:`authenticate` to begin interactive authentication. """ if not scopes: message = "'get_token' requires at least one scope" @@ -149,7 +151,7 @@ def get_token(self, *scopes, **kwargs): _LOGGER.info("%s.get_token succeeded", self.__class__.__name__) return AccessToken(result["access_token"], now + int(result["expires_in"])) - def _authenticate(self, **kwargs): + def authenticate(self, **kwargs): # type: (**Any) -> AuthenticationRecord """Interactively authenticate a user. diff --git a/sdk/identity/azure-identity/azure/identity/_internal/msal_credentials.py b/sdk/identity/azure-identity/azure/identity/_internal/msal_credentials.py index 8fd47ee20075..bb8437453031 100644 --- a/sdk/identity/azure-identity/azure/identity/_internal/msal_credentials.py +++ b/sdk/identity/azure-identity/azure/identity/_internal/msal_credentials.py @@ -40,8 +40,8 @@ def __init__(self, client_id, client_credential=None, **kwargs): self._cache = kwargs.pop("_cache", None) # internal, for use in tests if not self._cache: - if kwargs.pop("_enable_persistent_cache", False): - allow_unencrypted = kwargs.pop("_allow_unencrypted_cache", False) + if kwargs.pop("enable_persistent_cache", False): + allow_unencrypted = kwargs.pop("allow_unencrypted_cache", False) self._cache = load_user_cache(allow_unencrypted) else: self._cache = msal.TokenCache() diff --git a/sdk/identity/azure-identity/azure/identity/_internal/shared_token_cache.py b/sdk/identity/azure-identity/azure/identity/_internal/shared_token_cache.py index 8aa991c4d28b..11d42936cd57 100644 --- a/sdk/identity/azure-identity/azure/identity/_internal/shared_token_cache.py +++ b/sdk/identity/azure-identity/azure/identity/_internal/shared_token_cache.py @@ -112,7 +112,7 @@ def _initialize(self): def _load_cache(self): if not self._cache and self.supported(): - allow_unencrypted = self._client_kwargs.get("_allow_unencrypted_cache", True) + allow_unencrypted = self._client_kwargs.get("allow_unencrypted_cache", False) try: self._cache = load_user_cache(allow_unencrypted) except Exception: # pylint:disable=broad-except diff --git a/sdk/identity/azure-identity/azure/identity/aio/_credentials/client_secret.py b/sdk/identity/azure-identity/azure/identity/aio/_credentials/client_secret.py index 6ad7d3ec2972..b83ac21dba5b 100644 --- a/sdk/identity/azure-identity/azure/identity/aio/_credentials/client_secret.py +++ b/sdk/identity/azure-identity/azure/identity/aio/_credentials/client_secret.py @@ -23,6 +23,10 @@ class ClientSecretCredential(AsyncContextManager, ClientSecretCredentialBase): :keyword str authority: Authority of an Azure Active Directory endpoint, for example 'login.microsoftonline.com', the authority for Azure Public Cloud (which is the default). :class:`~azure.identity.AzureAuthorityHosts` defines authorities for other clouds. + :keyword bool enable_persistent_cache: if True, the credential will store tokens in a persistent cache. Defaults to + False. + :keyword bool allow_unencrypted_cache: if True, the credential will fall back to a plaintext cache when encryption + is unavailable. Default to False. Has no effect when `enable_persistent_cache` is False. """ async def __aenter__(self): diff --git a/sdk/identity/azure-identity/azure/identity/aio/_credentials/managed_identity.py b/sdk/identity/azure-identity/azure/identity/aio/_credentials/managed_identity.py index 2284ff9af936..010f9a74d682 100644 --- a/sdk/identity/azure-identity/azure/identity/aio/_credentials/managed_identity.py +++ b/sdk/identity/azure-identity/azure/identity/aio/_credentials/managed_identity.py @@ -32,6 +32,10 @@ class ManagedIdentityCredential(AsyncContextManager): the keyword arguments. :keyword str client_id: a user-assigned identity's client ID. This is supported in all hosting environments. + :keyword identity_config: a mapping ``{parameter_name: value}`` specifying a user-assigned identity by its object + or resource ID, for example ``{"object_id": "..."}``. Check the documentation for your hosting environment to + learn what values it expects. + :paramtype identity_config: Mapping[str, str] """ def __init__(self, **kwargs: "Any") -> None: diff --git a/sdk/identity/azure-identity/azure/identity/aio/_credentials/shared_cache.py b/sdk/identity/azure-identity/azure/identity/aio/_credentials/shared_cache.py index 86fc662801a2..a34d56042970 100644 --- a/sdk/identity/azure-identity/azure/identity/aio/_credentials/shared_cache.py +++ b/sdk/identity/azure-identity/azure/identity/aio/_credentials/shared_cache.py @@ -29,6 +29,8 @@ class SharedTokenCacheCredential(SharedTokenCacheBase, AsyncContextManager): defines authorities for other clouds. :keyword str tenant_id: an Azure Active Directory tenant ID. Used to select an account when the cache contains tokens for multiple identities. + :keyword bool allow_unencrypted_cache: if True, the credential will fall back to a plaintext cache when encryption + is unavailable. Defaults to False. """ async def __aenter__(self): diff --git a/sdk/identity/azure-identity/samples/README.md b/sdk/identity/azure-identity/samples/README.md index 72d6c19fa39f..ab61f28e7cc6 100644 --- a/sdk/identity/azure-identity/samples/README.md +++ b/sdk/identity/azure-identity/samples/README.md @@ -12,8 +12,14 @@ urlFragment: identity-samples ## Prerequisites -You must have an [Azure subscription](https://azure.microsoft.com/free) to run -these samples. +You must have an [Azure subscription](https://azure.microsoft.com/free) and an +[Azure Key Vault](https://azure.microsoft.com/services/key-vault/) to run +these samples. You can create a Key Vault in the +[Azure Portal](https://portal.azure.com/#create/Microsoft.KeyVault) or with the +[Azure CLI](https://docs.microsoft.com/azure/key-vault/secrets/quick-create-cli). + +Azure Key Vault is used only to demonstrate authentication. Azure Identity has +the same API for all compatible client libraries. ## Setup @@ -21,10 +27,12 @@ To run these samples, first install the Azure Identity and Key Vault Secrets client libraries: ```commandline -pip install azure-identity +pip install azure-identity azure-keyvault-secrets ``` ## Contents | File | Description | |-------------|-------------| +| control_interactive_prompts.py | demonstrates controlling when interactive credentials prompt for user interaction | | custom_credentials.py | demonstrates custom credential implementation | +| user_authentication.py | demonstrates user authentication API for applications | diff --git a/sdk/identity/azure-identity/samples/control_interactive_prompts.py b/sdk/identity/azure-identity/samples/control_interactive_prompts.py new file mode 100644 index 000000000000..10dabf65e9d2 --- /dev/null +++ b/sdk/identity/azure-identity/samples/control_interactive_prompts.py @@ -0,0 +1,38 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +"""Demonstrates controlling the timing of interactive authentication using InteractiveBrowserCredential. + +DeviceCodeCredential supports the same API. +""" + +import os +import sys +from azure.identity import AuthenticationRequiredError, InteractiveBrowserCredential +from azure.keyvault.secrets import SecretClient + + +# This sample uses Key Vault only for demonstration. Any client accepting azure-identity credentials will work the same. +VAULT_URL = os.environ.get("VAULT_URL") +if not VAULT_URL: + print("This sample expects environment variable 'VAULT_URL' to be set with the URL of a Key Vault.") + sys.exit(1) + + +# If it's important for your application to prompt for authentication only at certain times, +# create the credential with disable_automatic_authentication=True. This configures the credential to raise +# when interactive authentication is required, instead of immediately beginning that authentication. +credential = InteractiveBrowserCredential(disable_automatic_authentication=True) +client = SecretClient(VAULT_URL, credential) + +try: + secret_names = [s.name for s in client.list_properties_of_secrets()] +except AuthenticationRequiredError as ex: + # Interactive authentication is necessary to authorize the client's request. The exception carries the + # requested authentication scopes. If you pass these to 'authenticate', it will cache an access token + # for those scopes. + credential.authenticate(scopes=ex.scopes) + +# the client operation should now succeed +secret_names = [s.name for s in client.list_properties_of_secrets()] diff --git a/sdk/identity/azure-identity/samples/user_authentication.py b/sdk/identity/azure-identity/samples/user_authentication.py new file mode 100644 index 000000000000..2c21c2a44973 --- /dev/null +++ b/sdk/identity/azure-identity/samples/user_authentication.py @@ -0,0 +1,43 @@ +# ------------------------------------ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# ------------------------------------ +"""Demonstrates user authentication using InteractiveBrowserCredential. DeviceCodeCredential supports the same API.""" + +import os +import sys +from azure.identity import AuthenticationRecord, InteractiveBrowserCredential +from azure.keyvault.secrets import SecretClient + + +# This sample uses Key Vault only for demonstration. Any client accepting azure-identity credentials will work the same. +VAULT_URL = os.environ.get("VAULT_URL") +if not VAULT_URL: + print("This sample expects environment variable 'VAULT_URL' to be set with the URL of a Key Vault.") + sys.exit(1) + + +# Persistent caching is optional. By default, interactive credentials cache in memory only. +credential = InteractiveBrowserCredential(enable_persistent_cache=True) + +# The 'authenticate' method begins interactive authentication. Call it whenever it's convenient +# for your application to authenticate a user. It returns a record of the authentication. +record = credential.authenticate() + +# The record contains no authentication secrets. You can serialize it to JSON for storage. +record_json = record.serialize() + +# An authenticated credential is ready for use with a client. This request should succeed +# without prompting for authentication again. +client = SecretClient(VAULT_URL, credential) +secret_names = [s.name for s in client.list_properties_of_secrets()] + +# With persistent caching enabled, an authentication record stored by your application enables +# credentials to access data from past authentications. If the cache contains sufficient data, +# this eliminates the need for your application to prompt for authentication every time it runs. +deserialized_record = AuthenticationRecord.deserialize(record_json) +new_credential = InteractiveBrowserCredential(enable_persistent_cache=True, authentication_record=deserialized_record) + +# This request should also succeed without prompting for authentication. +client = SecretClient(VAULT_URL, new_credential) +secret_names = [s.name for s in client.list_properties_of_secrets()] diff --git a/sdk/identity/azure-identity/tests/test_auth_record.py b/sdk/identity/azure-identity/tests/test_auth_record.py index 5b4ec83d6da2..5daef9c5dec4 100644 --- a/sdk/identity/azure-identity/tests/test_auth_record.py +++ b/sdk/identity/azure-identity/tests/test_auth_record.py @@ -4,7 +4,7 @@ # ------------------------------------ import json -from azure.identity._auth_record import AuthenticationRecord +from azure.identity import AuthenticationRecord def test_serialization(): diff --git a/sdk/identity/azure-identity/tests/test_browser_credential.py b/sdk/identity/azure-identity/tests/test_browser_credential.py index 500006325f40..29b02e01ea63 100644 --- a/sdk/identity/azure-identity/tests/test_browser_credential.py +++ b/sdk/identity/azure-identity/tests/test_browser_credential.py @@ -10,8 +10,7 @@ from azure.core.exceptions import ClientAuthenticationError from azure.core.pipeline.policies import SansIOHTTPPolicy -from azure.identity import CredentialUnavailableError, InteractiveBrowserCredential -from azure.identity._exceptions import AuthenticationRequiredError +from azure.identity import AuthenticationRequiredError, CredentialUnavailableError, InteractiveBrowserCredential from azure.identity._internal import AuthCodeRedirectServer from azure.identity._internal.user_agent import USER_AGENT from msal import TokenCache @@ -96,7 +95,7 @@ def test_authenticate(): tenant_id=tenant_id, transport=transport, ) - record = credential._authenticate(scopes=(scope,)) + record = credential.authenticate(scopes=(scope,)) assert record.authority == environment assert record.home_account_id == object_id + "." + home_tenant @@ -115,7 +114,7 @@ def test_disable_automatic_authentication(): empty_cache = TokenCache() # empty cache makes silent auth impossible transport = Mock(send=Mock(side_effect=Exception("no request should be sent"))) credential = InteractiveBrowserCredential( - _disable_automatic_authentication=True, transport=transport, _cache=empty_cache + disable_automatic_authentication=True, transport=transport, _cache=empty_cache ) with patch(WEBBROWSER_OPEN, Mock(side_effect=Exception("credential shouldn't try interactive authentication"))): diff --git a/sdk/identity/azure-identity/tests/test_certificate_credential.py b/sdk/identity/azure-identity/tests/test_certificate_credential.py index 0f502aa6a54c..d8562fd36094 100644 --- a/sdk/identity/azure-identity/tests/test_certificate_credential.py +++ b/sdk/identity/azure-identity/tests/test_certificate_credential.py @@ -197,7 +197,7 @@ def validate_jwt(request, client_id, pem_bytes, expect_x5c=False): @pytest.mark.parametrize("cert_path,cert_password", BOTH_CERTS) def test_enable_persistent_cache(cert_path, cert_password): - """the credential should use the persistent cache only when given _enable_persistent_cache=True""" + """the credential should use the persistent cache only when given enable_persistent_cache=True""" persistent_cache = "azure.identity._internal.persistent_cache" required_arguments = ("tenant-id", "client-id", cert_path) @@ -208,20 +208,20 @@ def test_enable_persistent_cache(cert_path, cert_password): CertificateCredential(*required_arguments, password=cert_password) # allowing an unencrypted cache doesn't count as opting in to the persistent cache - CertificateCredential(*required_arguments, password=cert_password, _allow_unencrypted_cache=True) + CertificateCredential(*required_arguments, password=cert_password, allow_unencrypted_cache=True) # keyword argument opts in to persistent cache with patch(persistent_cache + ".msal_extensions") as mock_extensions: - CertificateCredential(*required_arguments, password=cert_password, _enable_persistent_cache=True) + CertificateCredential(*required_arguments, password=cert_password, enable_persistent_cache=True) assert mock_extensions.PersistedTokenCache.call_count == 1 # opting in on an unsupported platform raises an exception with patch(persistent_cache + ".sys.platform", "commodore64"): with pytest.raises(NotImplementedError): - CertificateCredential(*required_arguments, password=cert_password, _enable_persistent_cache=True) + CertificateCredential(*required_arguments, password=cert_password, enable_persistent_cache=True) with pytest.raises(NotImplementedError): CertificateCredential( - *required_arguments, password=cert_password, _enable_persistent_cache=True, _allow_unencrypted_cache=True + *required_arguments, password=cert_password, enable_persistent_cache=True, allow_unencrypted_cache=True ) @@ -238,7 +238,7 @@ def test_persistent_cache_linux(mock_extensions, cert_path, cert_password): # the credential should prefer an encrypted cache even when the user allows an unencrypted one CertificateCredential( - *required_arguments, password=cert_password, _enable_persistent_cache=True, _allow_unencrypted_cache=True + *required_arguments, password=cert_password, enable_persistent_cache=True, allow_unencrypted_cache=True ) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.LibsecretPersistence) mock_extensions.PersistedTokenCache.reset_mock() @@ -248,10 +248,10 @@ def test_persistent_cache_linux(mock_extensions, cert_path, cert_password): # encryption unavailable, no opt in to unencrypted cache -> credential should raise with pytest.raises(ValueError): - CertificateCredential(*required_arguments, password=cert_password, _enable_persistent_cache=True) + CertificateCredential(*required_arguments, password=cert_password, enable_persistent_cache=True) CertificateCredential( - *required_arguments, password=cert_password, _enable_persistent_cache=True, _allow_unencrypted_cache=True + *required_arguments, password=cert_password, enable_persistent_cache=True, allow_unencrypted_cache=True ) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.FilePersistence) @@ -273,11 +273,11 @@ def test_persistent_cache_multiple_clients(cert_path, cert_password): with patch("azure.identity._internal.persistent_cache._load_persistent_cache") as mock_cache_loader: mock_cache_loader.return_value = Mock(wraps=cache) credential_a = CertificateCredential( - "tenant", "client-a", cert_path, password=cert_password, _enable_persistent_cache=True, transport=transport_a + "tenant", "client-a", cert_path, password=cert_password, enable_persistent_cache=True, transport=transport_a ) assert mock_cache_loader.call_count == 1, "credential should load the persistent cache" credential_b = CertificateCredential( - "tenant", "client-b", cert_path, password=cert_password, _enable_persistent_cache=True, transport=transport_b + "tenant", "client-b", cert_path, password=cert_password, enable_persistent_cache=True, transport=transport_b ) assert mock_cache_loader.call_count == 2, "credential should load the persistent cache" diff --git a/sdk/identity/azure-identity/tests/test_certificate_credential_async.py b/sdk/identity/azure-identity/tests/test_certificate_credential_async.py index fed6f12a4be1..973994be2b9c 100644 --- a/sdk/identity/azure-identity/tests/test_certificate_credential_async.py +++ b/sdk/identity/azure-identity/tests/test_certificate_credential_async.py @@ -151,7 +151,7 @@ async def mock_send(request, **kwargs): @pytest.mark.parametrize("cert_path,cert_password", BOTH_CERTS) def test_enable_persistent_cache(cert_path, cert_password): - """the credential should use the persistent cache only when given _enable_persistent_cache=True""" + """the credential should use the persistent cache only when given enable_persistent_cache=True""" persistent_cache = "azure.identity._internal.persistent_cache" required_arguments = ("tenant-id", "client-id", cert_path) @@ -162,20 +162,20 @@ def test_enable_persistent_cache(cert_path, cert_password): CertificateCredential(*required_arguments, password=cert_password) # allowing an unencrypted cache doesn't count as opting in to the persistent cache - CertificateCredential(*required_arguments, password=cert_password, _allow_unencrypted_cache=True) + CertificateCredential(*required_arguments, password=cert_password, allow_unencrypted_cache=True) # keyword argument opts in to persistent cache with patch(persistent_cache + ".msal_extensions") as mock_extensions: - CertificateCredential(*required_arguments, password=cert_password, _enable_persistent_cache=True) + CertificateCredential(*required_arguments, password=cert_password, enable_persistent_cache=True) assert mock_extensions.PersistedTokenCache.call_count == 1 # opting in on an unsupported platform raises an exception with patch(persistent_cache + ".sys.platform", "commodore64"): with pytest.raises(NotImplementedError): - CertificateCredential(*required_arguments, password=cert_password, _enable_persistent_cache=True) + CertificateCredential(*required_arguments, password=cert_password, enable_persistent_cache=True) with pytest.raises(NotImplementedError): CertificateCredential( - *required_arguments, password=cert_password, _enable_persistent_cache=True, _allow_unencrypted_cache=True + *required_arguments, password=cert_password, enable_persistent_cache=True, allow_unencrypted_cache=True ) @@ -192,7 +192,7 @@ def test_persistent_cache_linux(mock_extensions, cert_path, cert_password): # the credential should prefer an encrypted cache even when the user allows an unencrypted one CertificateCredential( - *required_arguments, password=cert_password, _enable_persistent_cache=True, _allow_unencrypted_cache=True + *required_arguments, password=cert_password, enable_persistent_cache=True, allow_unencrypted_cache=True ) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.LibsecretPersistence) mock_extensions.PersistedTokenCache.reset_mock() @@ -202,10 +202,10 @@ def test_persistent_cache_linux(mock_extensions, cert_path, cert_password): # encryption unavailable, no opt in to unencrypted cache -> credential should raise with pytest.raises(ValueError): - CertificateCredential(*required_arguments, password=cert_password, _enable_persistent_cache=True) + CertificateCredential(*required_arguments, password=cert_password, enable_persistent_cache=True) CertificateCredential( - *required_arguments, password=cert_password, _enable_persistent_cache=True, _allow_unencrypted_cache=True + *required_arguments, password=cert_password, enable_persistent_cache=True, allow_unencrypted_cache=True ) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.FilePersistence) @@ -228,11 +228,11 @@ async def test_persistent_cache_multiple_clients(cert_path, cert_password): with patch("azure.identity._internal.persistent_cache._load_persistent_cache") as mock_cache_loader: mock_cache_loader.return_value = Mock(wraps=cache) credential_a = CertificateCredential( - "tenant", "client-a", cert_path, password=cert_password, _enable_persistent_cache=True, transport=transport_a + "tenant", "client-a", cert_path, password=cert_password, enable_persistent_cache=True, transport=transport_a ) assert mock_cache_loader.call_count == 1, "credential should load the persistent cache" credential_b = CertificateCredential( - "tenant", "client-b", cert_path, password=cert_password, _enable_persistent_cache=True, transport=transport_b + "tenant", "client-b", cert_path, password=cert_password, enable_persistent_cache=True, transport=transport_b ) assert mock_cache_loader.call_count == 2, "credential should load the persistent cache" diff --git a/sdk/identity/azure-identity/tests/test_client_secret_credential.py b/sdk/identity/azure-identity/tests/test_client_secret_credential.py index 9944a40e9ff6..2e651c1924a0 100644 --- a/sdk/identity/azure-identity/tests/test_client_secret_credential.py +++ b/sdk/identity/azure-identity/tests/test_client_secret_credential.py @@ -118,7 +118,7 @@ def test_authority(authority): def test_enable_persistent_cache(): - """the credential should use the persistent cache only when given _enable_persistent_cache=True""" + """the credential should use the persistent cache only when given enable_persistent_cache=True""" required_arguments = ("tenant-id", "client-id", "secret") persistent_cache = "azure.identity._internal.persistent_cache" @@ -129,19 +129,19 @@ def test_enable_persistent_cache(): ClientSecretCredential(*required_arguments) # allowing an unencrypted cache doesn't count as opting in to the persistent cache - ClientSecretCredential(*required_arguments, _allow_unencrypted_cache=True) + ClientSecretCredential(*required_arguments, allow_unencrypted_cache=True) # keyword argument opts in to persistent cache with patch(persistent_cache + ".msal_extensions") as mock_extensions: - ClientSecretCredential(*required_arguments, _enable_persistent_cache=True) + ClientSecretCredential(*required_arguments, enable_persistent_cache=True) assert mock_extensions.PersistedTokenCache.call_count == 1 # opting in on an unsupported platform raises an exception with patch(persistent_cache + ".sys.platform", "commodore64"): with pytest.raises(NotImplementedError): - ClientSecretCredential(*required_arguments, _enable_persistent_cache=True) + ClientSecretCredential(*required_arguments, enable_persistent_cache=True) with pytest.raises(NotImplementedError): - ClientSecretCredential(*required_arguments, _enable_persistent_cache=True, _allow_unencrypted_cache=True) + ClientSecretCredential(*required_arguments, enable_persistent_cache=True, allow_unencrypted_cache=True) @patch("azure.identity._internal.persistent_cache.sys.platform", "linux2") @@ -155,7 +155,7 @@ def test_persistent_cache_linux(mock_extensions): required_arguments = ("tenant-id", "client-id", "secret") # the credential should prefer an encrypted cache even when the user allows an unencrypted one - ClientSecretCredential(*required_arguments, _enable_persistent_cache=True, _allow_unencrypted_cache=True) + ClientSecretCredential(*required_arguments, enable_persistent_cache=True, allow_unencrypted_cache=True) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.LibsecretPersistence) mock_extensions.PersistedTokenCache.reset_mock() @@ -164,9 +164,9 @@ def test_persistent_cache_linux(mock_extensions): # encryption unavailable, no opt in to unencrypted cache -> credential should raise with pytest.raises(ValueError): - ClientSecretCredential(*required_arguments, _enable_persistent_cache=True) + ClientSecretCredential(*required_arguments, enable_persistent_cache=True) - ClientSecretCredential(*required_arguments, _enable_persistent_cache=True, _allow_unencrypted_cache=True) + ClientSecretCredential(*required_arguments, enable_persistent_cache=True, allow_unencrypted_cache=True) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.FilePersistence) @@ -186,11 +186,11 @@ def test_persistent_cache_multiple_clients(): with patch("azure.identity._internal.persistent_cache._load_persistent_cache") as mock_cache_loader: mock_cache_loader.return_value = Mock(wraps=cache) credential_a = ClientSecretCredential( - "tenant-id", "client-a", "...", _enable_persistent_cache=True, transport=transport_a + "tenant-id", "client-a", "...", enable_persistent_cache=True, transport=transport_a ) assert mock_cache_loader.call_count == 1, "credential should load the persistent cache" credential_b = ClientSecretCredential( - "tenant-id", "client-b", "...", _enable_persistent_cache=True, transport=transport_b + "tenant-id", "client-b", "...", enable_persistent_cache=True, transport=transport_b ) assert mock_cache_loader.call_count == 2, "credential should load the persistent cache" diff --git a/sdk/identity/azure-identity/tests/test_client_secret_credential_async.py b/sdk/identity/azure-identity/tests/test_client_secret_credential_async.py index 6ae2d0adba18..3c0bdd231941 100644 --- a/sdk/identity/azure-identity/tests/test_client_secret_credential_async.py +++ b/sdk/identity/azure-identity/tests/test_client_secret_credential_async.py @@ -186,7 +186,7 @@ async def test_cache(): def test_enable_persistent_cache(): - """the credential should use the persistent cache only when given _enable_persistent_cache=True""" + """the credential should use the persistent cache only when given enable_persistent_cache=True""" required_arguments = ("tenant-id", "client-id", "secret") persistent_cache = "azure.identity._internal.persistent_cache" @@ -197,19 +197,19 @@ def test_enable_persistent_cache(): ClientSecretCredential(*required_arguments) # allowing an unencrypted cache doesn't count as opting in to the persistent cache - ClientSecretCredential(*required_arguments, _allow_unencrypted_cache=True) + ClientSecretCredential(*required_arguments, allow_unencrypted_cache=True) # keyword argument opts in to persistent cache with patch(persistent_cache + ".msal_extensions") as mock_extensions: - ClientSecretCredential(*required_arguments, _enable_persistent_cache=True) + ClientSecretCredential(*required_arguments, enable_persistent_cache=True) assert mock_extensions.PersistedTokenCache.call_count == 1 # opting in on an unsupported platform raises an exception with patch(persistent_cache + ".sys.platform", "commodore64"): with pytest.raises(NotImplementedError): - ClientSecretCredential(*required_arguments, _enable_persistent_cache=True) + ClientSecretCredential(*required_arguments, enable_persistent_cache=True) with pytest.raises(NotImplementedError): - ClientSecretCredential(*required_arguments, _enable_persistent_cache=True, _allow_unencrypted_cache=True) + ClientSecretCredential(*required_arguments, enable_persistent_cache=True, allow_unencrypted_cache=True) @patch("azure.identity._internal.persistent_cache.sys.platform", "linux2") @@ -223,7 +223,7 @@ def test_persistent_cache_linux(mock_extensions): required_arguments = ("tenant-id", "client-id", "secret") # the credential should prefer an encrypted cache even when the user allows an unencrypted one - ClientSecretCredential(*required_arguments, _enable_persistent_cache=True, _allow_unencrypted_cache=True) + ClientSecretCredential(*required_arguments, enable_persistent_cache=True, allow_unencrypted_cache=True) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.LibsecretPersistence) mock_extensions.PersistedTokenCache.reset_mock() @@ -232,9 +232,9 @@ def test_persistent_cache_linux(mock_extensions): # encryption unavailable, no opt in to unencrypted cache -> credential should raise with pytest.raises(ValueError): - ClientSecretCredential(*required_arguments, _enable_persistent_cache=True) + ClientSecretCredential(*required_arguments, enable_persistent_cache=True) - ClientSecretCredential(*required_arguments, _enable_persistent_cache=True, _allow_unencrypted_cache=True) + ClientSecretCredential(*required_arguments, enable_persistent_cache=True, allow_unencrypted_cache=True) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.FilePersistence) @@ -255,11 +255,11 @@ async def test_persistent_cache_multiple_clients(): with patch("azure.identity._internal.persistent_cache._load_persistent_cache") as mock_cache_loader: mock_cache_loader.return_value = Mock(wraps=cache) credential_a = ClientSecretCredential( - "tenant-id", "client-a", "...", _enable_persistent_cache=True, transport=transport_a + "tenant-id", "client-a", "...", enable_persistent_cache=True, transport=transport_a ) assert mock_cache_loader.call_count == 1, "credential should load the persistent cache" credential_b = ClientSecretCredential( - "tenant-id", "client-b", "...", _enable_persistent_cache=True, transport=transport_b + "tenant-id", "client-b", "...", enable_persistent_cache=True, transport=transport_b ) assert mock_cache_loader.call_count == 2, "credential should load the persistent cache" diff --git a/sdk/identity/azure-identity/tests/test_device_code_credential.py b/sdk/identity/azure-identity/tests/test_device_code_credential.py index 48761174a2ca..ec2615570995 100644 --- a/sdk/identity/azure-identity/tests/test_device_code_credential.py +++ b/sdk/identity/azure-identity/tests/test_device_code_credential.py @@ -6,8 +6,7 @@ from azure.core.exceptions import ClientAuthenticationError from azure.core.pipeline.policies import SansIOHTTPPolicy -from azure.identity import DeviceCodeCredential -from azure.identity._exceptions import AuthenticationRequiredError +from azure.identity import AuthenticationRequiredError, DeviceCodeCredential from azure.identity._internal.user_agent import USER_AGENT from msal import TokenCache import pytest @@ -91,7 +90,7 @@ def test_authenticate(): tenant_id=tenant_id, _cache=TokenCache(), ) - record = credential._authenticate(scopes=(scope,)) + record = credential.authenticate(scopes=(scope,)) assert record.authority == environment assert record.home_account_id == object_id + "." + home_tenant assert record.tenant_id == home_tenant @@ -108,7 +107,7 @@ def test_disable_automatic_authentication(): empty_cache = TokenCache() # empty cache makes silent auth impossible transport = Mock(send=Mock(side_effect=Exception("no request should be sent"))) credential = DeviceCodeCredential( - "client-id", _disable_automatic_authentication=True, transport=transport, _cache=empty_cache + "client-id", disable_automatic_authentication=True, transport=transport, _cache=empty_cache ) with pytest.raises(AuthenticationRequiredError): diff --git a/sdk/identity/azure-identity/tests/test_imds_credential.py b/sdk/identity/azure-identity/tests/test_imds_credential.py index 8b040b769f55..95f53088b11a 100644 --- a/sdk/identity/azure-identity/tests/test_imds_credential.py +++ b/sdk/identity/azure-identity/tests/test_imds_credential.py @@ -169,7 +169,7 @@ def test_identity_config(): ], ) - credential = ImdsCredential(_identity_config={param_name: param_value}, transport=transport) + credential = ImdsCredential(identity_config={param_name: param_value}, transport=transport) token = credential.get_token(scope) assert token == expected_token diff --git a/sdk/identity/azure-identity/tests/test_imds_credential_async.py b/sdk/identity/azure-identity/tests/test_imds_credential_async.py index 8c42e643a855..a4d056f399fc 100644 --- a/sdk/identity/azure-identity/tests/test_imds_credential_async.py +++ b/sdk/identity/azure-identity/tests/test_imds_credential_async.py @@ -198,7 +198,7 @@ async def test_identity_config(): ], ) - credential = ImdsCredential(client_id=client_id, _identity_config={param_name: param_value}, transport=transport) + credential = ImdsCredential(client_id=client_id, identity_config={param_name: param_value}, transport=transport) token = await credential.get_token(scope) assert token == expected_token diff --git a/sdk/identity/azure-identity/tests/test_interactive_credential.py b/sdk/identity/azure-identity/tests/test_interactive_credential.py index f8f725275af2..a708b7c2c9fc 100644 --- a/sdk/identity/azure-identity/tests/test_interactive_credential.py +++ b/sdk/identity/azure-identity/tests/test_interactive_credential.py @@ -4,11 +4,11 @@ # ------------------------------------ from azure.core.exceptions import ClientAuthenticationError from azure.identity import ( + AuthenticationRequiredError, + AuthenticationRecord, KnownAuthorities, CredentialUnavailableError, ) -from azure.identity._auth_record import AuthenticationRecord -from azure.identity._exceptions import AuthenticationRequiredError from azure.identity._internal import InteractiveCredential from msal import TokenCache import pytest @@ -81,7 +81,7 @@ def validate_app_parameters(authority, client_id, **_): app_factory = Mock(wraps=validate_app_parameters) credential = MockCredential( - _authentication_record=record, _disable_automatic_authentication=True, msal_app_factory=app_factory, + authentication_record=record, disable_automatic_authentication=True, msal_app_factory=app_factory, ) with pytest.raises(AuthenticationRequiredError): credential.get_token("scope") @@ -104,9 +104,9 @@ def validate_authority(authority, **_): return Mock(get_accounts=Mock(return_value=[])) credential = MockCredential( - _authentication_record=record, + authentication_record=record, tenant_id=expected_tenant, - _disable_automatic_authentication=True, + disable_automatic_authentication=True, msal_app_factory=validate_authority, ) with pytest.raises(AuthenticationRequiredError): @@ -124,8 +124,8 @@ def test_disable_automatic_authentication(): ) credential = MockCredential( - _authentication_record=record, - _disable_automatic_authentication=True, + authentication_record=record, + disable_automatic_authentication=True, msal_app_factory=lambda *_, **__: msal_app, request_token=Mock(side_effect=Exception("credential shouldn't begin interactive authentication")), ) @@ -149,11 +149,11 @@ def validate_scopes(*scopes, **_): return REQUEST_TOKEN_RESULT request_token = Mock(wraps=validate_scopes) - credential = MockCredential(_disable_automatic_authentication=True, request_token=request_token) + credential = MockCredential(disable_automatic_authentication=True, request_token=request_token) with pytest.raises(AuthenticationRequiredError) as ex: credential.get_token(scope) - credential._authenticate(scopes=ex.value.scopes) + credential.authenticate(scopes=ex.value.scopes) assert request_token.call_count == 1, "validation method wasn't called" @@ -175,7 +175,7 @@ def validate_scopes(*scopes): return REQUEST_TOKEN_RESULT request_token = Mock(wraps=validate_scopes) - MockCredential(authority=authority, request_token=request_token)._authenticate() + MockCredential(authority=authority, request_token=request_token).authenticate() assert request_token.call_count == 1 @@ -183,7 +183,7 @@ def test_authenticate_unknown_cloud(): """authenticate should raise when given no scopes in an unknown cloud""" with pytest.raises(CredentialUnavailableError): - MockCredential(authority="localhost")._authenticate() + MockCredential(authority="localhost").authenticate() @pytest.mark.parametrize("option", (True, False)) @@ -191,7 +191,7 @@ def test_authenticate_ignores_disable_automatic_authentication(option): """authenticate should prompt for authentication regardless of the credential's configuration""" request_token = Mock(return_value=REQUEST_TOKEN_RESULT) - MockCredential(request_token=request_token, _disable_automatic_authentication=option)._authenticate() + MockCredential(request_token=request_token, disable_automatic_authentication=option).authenticate() assert request_token.call_count == 1, "credential didn't begin interactive authentication" @@ -207,7 +207,7 @@ class CustomException(Exception): acquire_token_silent_with_error=Mock(side_effect=CustomException(expected_message)), get_accounts=Mock(return_value=[{"home_account_id": record.home_account_id}]), ) - credential = MockCredential(msal_app_factory=lambda *_, **__: msal_app, _authentication_record=record) + credential = MockCredential(msal_app_factory=lambda *_, **__: msal_app, authentication_record=record) with pytest.raises(ClientAuthenticationError) as ex: credential.get_token("scope") @@ -216,7 +216,7 @@ class CustomException(Exception): def test_enable_persistent_cache(): - """the credential should use the persistent cache only when given _enable_persistent_cache=True""" + """the credential should use the persistent cache only when given enable_persistent_cache=True""" class TestCredential(InteractiveCredential): def __init__(self, **kwargs): @@ -237,20 +237,20 @@ def _request_token(self, *_, **__): assert credential._cache is in_memory_cache # allowing an unencrypted cache doesn't count as opting in to the persistent cache - credential = TestCredential(_allow_unencrypted_cache=True) + credential = TestCredential(allow_unencrypted_cache=True) assert credential._cache is in_memory_cache # keyword argument opts in to persistent cache with patch(persistent_cache + ".msal_extensions") as mock_extensions: - TestCredential(_enable_persistent_cache=True) + TestCredential(enable_persistent_cache=True) assert mock_extensions.PersistedTokenCache.call_count == 1 # opting in on an unsupported platform raises an exception with patch(persistent_cache + ".sys.platform", "commodore64"): with pytest.raises(NotImplementedError): - TestCredential(_enable_persistent_cache=True) + TestCredential(enable_persistent_cache=True) with pytest.raises(NotImplementedError): - TestCredential(_enable_persistent_cache=True, _allow_unencrypted_cache=True) + TestCredential(enable_persistent_cache=True, allow_unencrypted_cache=True) @patch("azure.identity._internal.persistent_cache.sys.platform", "linux2") @@ -269,7 +269,7 @@ def _request_token(self, *_, **__): pass # the credential should prefer an encrypted cache even when the user allows an unencrypted one - TestCredential(_enable_persistent_cache=True, _allow_unencrypted_cache=True) + TestCredential(enable_persistent_cache=True, allow_unencrypted_cache=True) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.LibsecretPersistence) mock_extensions.PersistedTokenCache.reset_mock() @@ -278,9 +278,9 @@ def _request_token(self, *_, **__): # encryption unavailable, no opt in to unencrypted cache -> credential should raise with pytest.raises(ValueError): - TestCredential(_enable_persistent_cache=True) + TestCredential(enable_persistent_cache=True) - TestCredential(_enable_persistent_cache=True, _allow_unencrypted_cache=True) + TestCredential(enable_persistent_cache=True, allow_unencrypted_cache=True) assert mock_extensions.PersistedTokenCache.called_with(mock_extensions.FilePersistence) @@ -306,7 +306,7 @@ def __init__(self, **kwargs): def _request_token(self, *_, **__): return msal_response - record = TestCredential()._authenticate() + record = TestCredential().authenticate() assert record.home_account_id == "{}.{}".format(object_id, home_tenant) @@ -334,7 +334,7 @@ def __init__(self, **kwargs): def _request_token(self, *_, **__): return msal_response - record = TestCredential()._authenticate() + record = TestCredential().authenticate() assert record.authority == authority assert record.home_account_id == subject assert record.tenant_id == tenant diff --git a/sdk/identity/azure-identity/tests/test_msi_credential.py b/sdk/identity/azure-identity/tests/test_msi_credential.py index 28f67a357790..7536688774e2 100644 --- a/sdk/identity/azure-identity/tests/test_msi_credential.py +++ b/sdk/identity/azure-identity/tests/test_msi_credential.py @@ -68,7 +68,7 @@ def test_identity_config_app_service(): {EnvironmentVariables.MSI_ENDPOINT: endpoint, EnvironmentVariables.MSI_SECRET: secret}, clear=True, ): - credential = MsiCredential(_identity_config={param_name: param_value}, transport=transport) + credential = MsiCredential(identity_config={param_name: param_value}, transport=transport) token = credential.get_token(scope) assert token == expected_token @@ -107,7 +107,7 @@ def test_identity_config_cloud_shell(): with mock.patch.dict( MsiCredential.__module__ + ".os.environ", {EnvironmentVariables.MSI_ENDPOINT: endpoint}, clear=True ): - credential = MsiCredential(_identity_config={param_name: param_value}, transport=transport) + credential = MsiCredential(identity_config={param_name: param_value}, transport=transport) token = credential.get_token(scope) assert token == expected_token diff --git a/sdk/identity/azure-identity/tests/test_msi_credential_async.py b/sdk/identity/azure-identity/tests/test_msi_credential_async.py index b9ff2bf114f8..dfa038963536 100644 --- a/sdk/identity/azure-identity/tests/test_msi_credential_async.py +++ b/sdk/identity/azure-identity/tests/test_msi_credential_async.py @@ -96,7 +96,7 @@ async def test_identity_config_app_service(): {EnvironmentVariables.MSI_ENDPOINT: endpoint, EnvironmentVariables.MSI_SECRET: secret}, clear=True, ): - credential = MsiCredential(_identity_config={param_name: param_value}, transport=transport) + credential = MsiCredential(identity_config={param_name: param_value}, transport=transport) token = await credential.get_token(scope) assert token == expected_token @@ -135,7 +135,7 @@ async def test_identity_config_cloud_shell(): with mock.patch.dict( MsiCredential.__module__ + ".os.environ", {EnvironmentVariables.MSI_ENDPOINT: endpoint}, clear=True ): - credential = MsiCredential(_identity_config={param_name: param_value}, transport=transport) + credential = MsiCredential(identity_config={param_name: param_value}, transport=transport) token = await credential.get_token(scope) assert token == expected_token diff --git a/sdk/identity/azure-identity/tests/test_shared_cache_credential.py b/sdk/identity/azure-identity/tests/test_shared_cache_credential.py index f8a4b97b1109..9634fe8dced6 100644 --- a/sdk/identity/azure-identity/tests/test_shared_cache_credential.py +++ b/sdk/identity/azure-identity/tests/test_shared_cache_credential.py @@ -5,10 +5,10 @@ from azure.core.exceptions import ClientAuthenticationError from azure.core.pipeline.policies import SansIOHTTPPolicy from azure.identity import ( + AuthenticationRecord, CredentialUnavailableError, SharedTokenCacheCredential, ) -from azure.identity._auth_record import AuthenticationRecord from azure.identity._constants import DEVELOPER_SIGN_ON_CLIENT_ID, EnvironmentVariables from azure.identity._internal.shared_token_cache import ( KNOWN_ALIASES, @@ -45,16 +45,16 @@ def test_tenant_id_validation(): valid_ids = {"c878a2ab-8ef4-413b-83a0-199afb84d7fb", "contoso.onmicrosoft.com", "organizations", "common"} for tenant in valid_ids: record = AuthenticationRecord(tenant, "client-id", "authority", "home.account.id", "username") - SharedTokenCacheCredential(_authentication_record=record) - SharedTokenCacheCredential(_authentication_record=record, tenant_id=tenant) + SharedTokenCacheCredential(authentication_record=record) + SharedTokenCacheCredential(authentication_record=record, tenant_id=tenant) invalid_ids = {"", "my tenant", "my_tenant", "/", "\\", '"my-tenant"', "'my-tenant'"} for tenant in invalid_ids: record = AuthenticationRecord(tenant, "client-id", "authority", "home.account.id", "username") with pytest.raises(ValueError): - SharedTokenCacheCredential(_authentication_record=record) + SharedTokenCacheCredential(authentication_record=record) with pytest.raises(ValueError): - SharedTokenCacheCredential(_authentication_record=record, tenant_id=tenant) + SharedTokenCacheCredential(authentication_record=record, tenant_id=tenant) def test_supported(): @@ -546,7 +546,7 @@ def send(request, **_): return get_discovery_response() credential = SharedTokenCacheCredential( - _authentication_record=record, transport=Mock(send=send), _cache=TokenCache() + authentication_record=record, transport=Mock(send=send), _cache=TokenCache() ) with pytest.raises(CredentialUnavailableError): @@ -572,7 +572,7 @@ def send(request, **_): "not-" + username, "not-" + object_id, "different-" + tenant_id, client_id="not-" + client_id, ), ) - credential = SharedTokenCacheCredential(_authentication_record=record, transport=Mock(send=send), _cache=cache) + credential = SharedTokenCacheCredential(authentication_record=record, transport=Mock(send=send), _cache=cache) with pytest.raises(CredentialUnavailableError): credential.get_token("scope") @@ -599,7 +599,7 @@ def test_authentication_record(): requests=[Request(authority=authority, required_data={"refresh_token": expected_refresh_token})], responses=[mock_response(json_payload=build_aad_response(access_token=expected_access_token))], ) - credential = SharedTokenCacheCredential(_authentication_record=record, transport=transport, _cache=cache) + credential = SharedTokenCacheCredential(authentication_record=record, transport=transport, _cache=cache) token = credential.get_token("scope") assert token.token == expected_access_token @@ -636,13 +636,12 @@ def test_auth_record_multiple_accounts_for_username(): requests=[Request(authority=authority, required_data={"refresh_token": expected_refresh_token})], responses=[mock_response(json_payload=build_aad_response(access_token=expected_access_token))], ) - credential = SharedTokenCacheCredential(_authentication_record=record, transport=transport, _cache=cache) + credential = SharedTokenCacheCredential(authentication_record=record, transport=transport, _cache=cache) token = credential.get_token("scope") assert token.token == expected_access_token -@pytest.mark.skip("in 1.5.0 allow_unencrypted_cache is private and defaults to True") @patch("azure.identity._internal.persistent_cache.sys.platform", "linux2") @patch("azure.identity._internal.persistent_cache.msal_extensions") def test_allow_unencrypted_cache(mock_extensions): @@ -793,7 +792,7 @@ def mock_send(request, **_): transport = Mock(send=Mock(wraps=mock_send)) credential = SharedTokenCacheCredential( - _authentication_record=record, _cache=TokenCache(), tenant_id=expected_tenant_id, transport=transport + authentication_record=record, _cache=TokenCache(), tenant_id=expected_tenant_id, transport=transport ) with pytest.raises(CredentialUnavailableError): credential.get_token("scope") # this raises because the cache is empty diff --git a/sdk/identity/azure-identity/tests/test_shared_cache_credential_async.py b/sdk/identity/azure-identity/tests/test_shared_cache_credential_async.py index 4599be446126..7613200e97ee 100644 --- a/sdk/identity/azure-identity/tests/test_shared_cache_credential_async.py +++ b/sdk/identity/azure-identity/tests/test_shared_cache_credential_async.py @@ -589,7 +589,6 @@ async def test_authority_environment_variable(): assert token.token == expected_access_token -@pytest.mark.skip("in 1.5.0 allow_unencrypted_cache is private and defaults to True") @pytest.mark.asyncio async def test_allow_unencrypted_cache(): """The credential should use an unencrypted cache when encryption is unavailable and the user explicitly allows it. diff --git a/sdk/identity/azure-identity/tests/test_username_password_credential.py b/sdk/identity/azure-identity/tests/test_username_password_credential.py index ac19fa813a73..ffa529163209 100644 --- a/sdk/identity/azure-identity/tests/test_username_password_credential.py +++ b/sdk/identity/azure-identity/tests/test_username_password_credential.py @@ -136,7 +136,7 @@ def test_authenticate(): tenant_id=tenant_id, transport=transport, ) - record = credential._authenticate(scopes=(scope,)) + record = credential.authenticate(scopes=(scope,)) assert record.authority == environment assert record.home_account_id == object_id + "." + home_tenant assert record.tenant_id == home_tenant