# ------------------------------------ # Copyright (c) Microsoft Corporation. # Licensed under the MIT License. # ------------------------------------ from unittest.mock import Mock, patch from urllib.parse import urlparse from azure.core.exceptions import ClientAuthenticationError from azure.core.pipeline.policies import SansIOHTTPPolicy from azure.identity import CredentialUnavailableError, TokenCachePersistenceOptions from azure.identity.aio import SharedTokenCacheCredential from azure.identity._constants import EnvironmentVariables from azure.identity._internal.shared_token_cache import ( KNOWN_ALIASES, MULTIPLE_ACCOUNTS, MULTIPLE_MATCHING_ACCOUNTS, NO_ACCOUNTS, NO_MATCHING_ACCOUNTS, ) from azure.identity._internal.user_agent import USER_AGENT from msal import TokenCache import pytest from helpers import build_aad_response, id_token_claims, mock_response, Request, GET_TOKEN_METHODS from helpers_async import async_validating_transport, AsyncMockTransport from test_shared_cache_credential import get_account_event, populated_cache def test_supported(): """the cache is supported on Linux, macOS, Windows, so this should pass unless you're developing on e.g. FreeBSD""" assert SharedTokenCacheCredential.supported() @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_no_scopes(get_token_method): """The credential should raise when get_token is called with no scopes""" credential = SharedTokenCacheCredential(_cache=TokenCache()) with pytest.raises(ValueError): await getattr(credential, get_token_method)() @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_close(get_token_method): async def send(*_, **kwargs): # ensure the `claims` and `tenant_id` keywords from credential's `get_token` method don't make it to transport assert "claims" not in kwargs assert "tenant_id" not in kwargs return mock_response(json_payload=build_aad_response(access_token="**")) transport = AsyncMockTransport(send=send) credential = SharedTokenCacheCredential( _cache=populated_cache(get_account_event("test@user", "uid", "utid")), transport=transport ) # the credential doesn't open a transport session before one is needed, so we send a request await getattr(credential, get_token_method)("scope") await credential.close() assert transport.__aexit__.call_count == 1 @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_context_manager(get_token_method): async def send(*_, **kwargs): # ensure the `claims` and `tenant_id` keywords from credential's `get_token` method don't make it to transport assert "claims" not in kwargs assert "tenant_id" not in kwargs return mock_response(json_payload=build_aad_response(access_token="**")) transport = AsyncMockTransport(send=send) credential = SharedTokenCacheCredential( _cache=populated_cache(get_account_event("test@user", "uid", "utid")), transport=transport ) # async with before initialization: credential should call __aexit__ but not __aenter__ async with credential: await getattr(credential, get_token_method)("scope") assert transport.__aenter__.call_count == 0 assert transport.__aexit__.call_count == 1 # async with after initialization: credential should call __aenter__ and __aexit__ async with credential: await getattr(credential, get_token_method)("scope") assert transport.__aenter__.call_count == 1 assert transport.__aexit__.call_count == 2 @pytest.mark.asyncio async def test_context_manager_no_cache(): """the credential shouldn't open/close sessions when instantiated in an environment with no cache""" transport = AsyncMockTransport() with patch("azure.identity._persistent_cache._load_persistent_cache", Mock(side_effect=NotImplementedError)): credential = SharedTokenCacheCredential(transport=transport) async with credential: assert transport.__aenter__.call_count == 0 assert transport.__aenter__.call_count == 0 assert transport.__aexit__.call_count == 0 @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_policies_configurable(get_token_method): policy = Mock(spec_set=SansIOHTTPPolicy, on_request=Mock()) async def send(*_, **kwargs): # ensure the `claims` and `tenant_id` keywords from credential's `get_token` method don't make it to transport assert "claims" not in kwargs assert "tenant_id" not in kwargs return mock_response(json_payload=build_aad_response(access_token="**")) credential = SharedTokenCacheCredential( _cache=populated_cache(get_account_event("test@user", "uid", "utid")), policies=[policy], transport=Mock(send=send), ) await getattr(credential, get_token_method)("scope") assert policy.on_request.called @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_user_agent(get_token_method): transport = async_validating_transport( requests=[Request(required_headers={"User-Agent": USER_AGENT})], responses=[mock_response(json_payload=build_aad_response(access_token="**"))], ) credential = SharedTokenCacheCredential( _cache=populated_cache(get_account_event("test@user", "uid", "utid")), transport=transport ) await getattr(credential, get_token_method)("scope") @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_tenant_id(get_token_method): transport = async_validating_transport( requests=[Request(required_headers={"User-Agent": USER_AGENT})], responses=[mock_response(json_payload=build_aad_response(access_token="**"))], ) credential = SharedTokenCacheCredential( _cache=populated_cache(get_account_event("test@user", "uid", "utid")), transport=transport, additionally_allowed_tenants=["*"], ) kwargs = {"tenant_id": "tenant_id"} if get_token_method == "get_token_info": kwargs = {"options": kwargs} await getattr(credential, get_token_method)("scope", **kwargs) @pytest.mark.parametrize("authority", ("localhost", "https://localhost")) def test_authority(authority): """the credential should accept an authority, with or without scheme, as an argument or environment variable""" parsed_authority = urlparse(authority) expected_netloc = parsed_authority.netloc or authority # "localhost" parses to netloc "", path "localhost" class MockCredential(SharedTokenCacheCredential): def _get_auth_client(self, authority=None, **kwargs): actual = urlparse(authority) assert actual.scheme == "https" assert actual.netloc == expected_netloc transport = Mock(send=Mock(side_effect=Exception("credential shouldn't send a request"))) MockCredential(_cache=TokenCache(), authority=authority, transport=transport) with patch.dict("os.environ", {EnvironmentVariables.AZURE_AUTHORITY_HOST: authority}, clear=True): MockCredential(_cache=TokenCache(), authority=authority, transport=transport) @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_empty_cache(get_token_method): """the credential should raise CredentialUnavailableError when the cache is empty""" with pytest.raises(CredentialUnavailableError, match=NO_ACCOUNTS): await getattr(SharedTokenCacheCredential(_cache=TokenCache()), get_token_method)("scope") with pytest.raises(CredentialUnavailableError, match=NO_ACCOUNTS): await getattr(SharedTokenCacheCredential(_cache=TokenCache(), username="not@cache"), get_token_method)("scope") with pytest.raises(CredentialUnavailableError, match=NO_ACCOUNTS): await getattr(SharedTokenCacheCredential(_cache=TokenCache(), tenant_id="not-cached"), get_token_method)( "scope" ) with pytest.raises(CredentialUnavailableError, match=NO_ACCOUNTS): credential = SharedTokenCacheCredential(_cache=TokenCache(), tenant_id="not-cached", username="not@cache") await getattr(credential, get_token_method)("scope") @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_no_matching_account_for_username(get_token_method): """one cached account, username specified, username doesn't match -> credential should raise""" upn = "spam@eggs" tenant = "some-guid" account = get_account_event(username=upn, uid="uid", utid=tenant, refresh_token="refresh-token") cache = populated_cache(account) with pytest.raises(CredentialUnavailableError) as ex: await getattr(SharedTokenCacheCredential(_cache=cache, username="not" + upn), get_token_method)("scope") assert ex.value.message.startswith(NO_MATCHING_ACCOUNTS[: NO_MATCHING_ACCOUNTS.index("{")]) assert "not" + upn in ex.value.message @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_no_matching_account_for_tenant(get_token_method): """one cached account, tenant specified, tenant doesn't match -> credential should raise""" upn = "spam@eggs" tenant = "some-guid" account = get_account_event(username=upn, uid="uid", utid=tenant, refresh_token="refresh-token") cache = populated_cache(account) with pytest.raises(CredentialUnavailableError) as ex: await getattr(SharedTokenCacheCredential(_cache=cache, tenant_id="not-" + tenant), get_token_method)("scope") assert ex.value.message.startswith(NO_MATCHING_ACCOUNTS[: NO_MATCHING_ACCOUNTS.index("{")]) assert "not-" + tenant in ex.value.message @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_no_matching_account_for_tenant_and_username(get_token_method): """one cached account, tenant and username specified, neither match -> credential should raise""" upn = "spam@eggs" tenant = "some-guid" account = get_account_event(username=upn, uid="uid", utid=tenant, refresh_token="refresh-token") cache = populated_cache(account) with pytest.raises(CredentialUnavailableError) as ex: await getattr( SharedTokenCacheCredential(_cache=cache, tenant_id="not-" + tenant, username="not" + upn), get_token_method, )("scope") assert ex.value.message.startswith(NO_MATCHING_ACCOUNTS[: NO_MATCHING_ACCOUNTS.index("{")]) assert "not" + upn in ex.value.message and "not-" + tenant in ex.value.message @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_no_matching_account_for_tenant_or_username(get_token_method): """two cached accounts, username and tenant specified, one account matches each -> credential should raise""" refresh_token_a = "refresh-token-a" refresh_token_b = "refresh-token-b" upn_a = "a@foo" upn_b = "b@foo" tenant_a = "tenant-a" tenant_b = "tenant-b" account_a = get_account_event(username=upn_a, uid="uid_a", utid=tenant_a, refresh_token=refresh_token_a) account_b = get_account_event(username=upn_b, uid="uid_b", utid=tenant_b, refresh_token=refresh_token_b) cache = populated_cache(account_a, account_b) transport = Mock(side_effect=Exception()) # credential shouldn't use the network credential = SharedTokenCacheCredential(username=upn_a, tenant_id=tenant_b, _cache=cache, transport=transport) with pytest.raises(CredentialUnavailableError) as ex: await getattr(credential, get_token_method)("scope") assert ex.value.message.startswith(NO_MATCHING_ACCOUNTS[: NO_MATCHING_ACCOUNTS.index("{")]) assert upn_a in ex.value.message and tenant_b in ex.value.message credential = SharedTokenCacheCredential(username=upn_b, tenant_id=tenant_a, _cache=cache, transport=transport) with pytest.raises(CredentialUnavailableError) as ex: await getattr(credential, get_token_method)("scope") assert ex.value.message.startswith(NO_MATCHING_ACCOUNTS[: NO_MATCHING_ACCOUNTS.index("{")]) assert upn_b in ex.value.message and tenant_a in ex.value.message @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_single_account_matching_username(get_token_method): """one cached account, username specified, username matches -> credential should auth that account""" upn = "spam@eggs" refresh_token = "refresh-token" scope = "scope" account = get_account_event(uid="uid_a", utid="utid", username=upn, refresh_token=refresh_token) cache = populated_cache(account) expected_token = "***" transport = async_validating_transport( requests=[Request(required_data={"refresh_token": refresh_token, "scope": scope})], responses=[mock_response(json_payload=build_aad_response(access_token=expected_token))], ) credential = SharedTokenCacheCredential(_cache=cache, transport=transport, username=upn) token = await getattr(credential, get_token_method)(scope) assert token.token == expected_token @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_single_account_matching_tenant(get_token_method): """one cached account, tenant specified, tenant matches -> credential should auth that account""" tenant_id = "tenant-id" refresh_token = "refresh-token" scope = "scope" account = get_account_event(uid="uid_a", utid=tenant_id, username="spam@eggs", refresh_token=refresh_token) cache = populated_cache(account) expected_token = "***" transport = async_validating_transport( requests=[Request(required_data={"refresh_token": refresh_token, "scope": scope})], responses=[mock_response(json_payload=build_aad_response(access_token=expected_token))], ) credential = SharedTokenCacheCredential(_cache=cache, transport=transport, tenant_id=tenant_id) token = await getattr(credential, get_token_method)(scope) assert token.token == expected_token @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_single_account_matching_tenant_and_username(get_token_method): """one cached account, tenant and username specified, both match -> credential should auth that account""" upn = "spam@eggs" tenant_id = "tenant-id" refresh_token = "refresh-token" scope = "scope" account = get_account_event(uid="uid_a", utid=tenant_id, username=upn, refresh_token=refresh_token) cache = populated_cache(account) expected_token = "***" transport = async_validating_transport( requests=[Request(required_data={"refresh_token": refresh_token, "scope": scope})], responses=[mock_response(json_payload=build_aad_response(access_token=expected_token))], ) credential = SharedTokenCacheCredential(_cache=cache, transport=transport, tenant_id=tenant_id, username=upn) token = await getattr(credential, get_token_method)(scope) assert token.token == expected_token @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_single_account(get_token_method): """one cached account, no username specified -> credential should auth that account""" refresh_token = "refresh-token" scope = "scope" account = get_account_event(uid="uid_a", utid="utid", username="spam@eggs", refresh_token=refresh_token) cache = populated_cache(account) expected_token = "***" transport = async_validating_transport( requests=[Request(required_data={"refresh_token": refresh_token, "scope": scope})], responses=[mock_response(json_payload=build_aad_response(access_token=expected_token))], ) credential = SharedTokenCacheCredential(_cache=cache, transport=transport) token = await getattr(credential, get_token_method)(scope) assert token.token == expected_token @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_no_refresh_token(get_token_method): """one cached account, account has no refresh token -> credential should raise""" account = get_account_event(uid="uid_a", utid="utid", username="spam@eggs", refresh_token=None) cache = populated_cache(account) transport = Mock(side_effect=Exception()) # credential shouldn't use the network credential = SharedTokenCacheCredential(_cache=cache, transport=transport) with pytest.raises(CredentialUnavailableError, match=NO_ACCOUNTS): await getattr(credential, get_token_method)("scope") credential = SharedTokenCacheCredential(_cache=cache, transport=transport, username="not@cache") with pytest.raises(CredentialUnavailableError, match=NO_ACCOUNTS): await getattr(credential, get_token_method)("scope") @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_two_accounts_no_username_or_tenant(get_token_method): """two cached accounts, no username or tenant specified -> credential should raise""" upn_a = "a@foo" upn_b = "b@foo" account_a = get_account_event(username=upn_a, uid="uid_a", utid="utid") account_b = get_account_event(username=upn_b, uid="uid_b", utid="utid") cache = populated_cache(account_a, account_b) # credential can't select an identity => it shouldn't use the network transport = Mock(side_effect=Exception()) # two users in the cache, no username specified -> CredentialUnavailableError credential = SharedTokenCacheCredential(_cache=cache, transport=transport) with pytest.raises(ClientAuthenticationError, match=MULTIPLE_ACCOUNTS) as ex: await getattr(credential, get_token_method)("scope") @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_two_accounts_username_specified(get_token_method): """two cached accounts, username specified, one account matches -> credential should auth that account""" scope = "scope" expected_refresh_token = "refresh-token-a" upn_a = "a@foo" upn_b = "b@foo" account_a = get_account_event(username=upn_a, uid="uid_a", utid="utid", refresh_token=expected_refresh_token) account_b = get_account_event(username=upn_b, uid="uid_b", utid="utid", refresh_token="refresh_token_b") cache = populated_cache(account_a, account_b) expected_token = "***" transport = async_validating_transport( requests=[Request(required_data={"refresh_token": expected_refresh_token, "scope": scope})], responses=[mock_response(json_payload=build_aad_response(access_token=expected_token))], ) credential = SharedTokenCacheCredential(username=upn_a, _cache=cache, transport=transport) token = await getattr(credential, get_token_method)(scope) assert token.token == expected_token @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_two_accounts_tenant_specified(get_token_method): """two cached accounts, tenant specified, one account matches -> credential should auth that account""" scope = "scope" expected_refresh_token = "refresh-token-a" upn_a = "a@foo" upn_b = "b@foo" tenant_id = "tenant-id" account_a = get_account_event(username=upn_a, uid="uid_a", utid=tenant_id, refresh_token=expected_refresh_token) account_b = get_account_event(username=upn_b, uid="uid_b", utid="utid", refresh_token="refresh_token_b") cache = populated_cache(account_a, account_b) expected_token = "***" transport = async_validating_transport( requests=[Request(required_data={"refresh_token": expected_refresh_token, "scope": scope})], responses=[mock_response(json_payload=build_aad_response(access_token=expected_token))], ) credential = SharedTokenCacheCredential(tenant_id=tenant_id, _cache=cache, transport=transport) token = await getattr(credential, get_token_method)(scope) assert token.token == expected_token @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_two_accounts_tenant_and_username_specified(get_token_method): """two cached accounts, tenant and username specified, one account matches both -> credential should auth that account""" scope = "scope" expected_refresh_token = "refresh-token-a" upn_a = "a@foo" upn_b = "b@foo" tenant_id = "tenant-id" account_a = get_account_event(username=upn_a, uid="uid_a", utid=tenant_id, refresh_token=expected_refresh_token) account_b = get_account_event(username=upn_b, uid="uid_b", utid="utid", refresh_token="refresh_token_b") cache = populated_cache(account_a, account_b) expected_token = "***" transport = async_validating_transport( requests=[Request(required_data={"refresh_token": expected_refresh_token, "scope": scope})], responses=[mock_response(json_payload=build_aad_response(access_token=expected_token))], ) credential = SharedTokenCacheCredential(tenant_id=tenant_id, username=upn_a, _cache=cache, transport=transport) token = await getattr(credential, get_token_method)(scope) assert token.token == expected_token @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_same_username_different_tenants(get_token_method): """two cached accounts, same username, different tenants""" access_token_a = "access-token-a" access_token_b = "access-token-b" refresh_token_a = "refresh-token-a" refresh_token_b = "refresh-token-b" upn = "spam@eggs" tenant_a = "tenant-a" tenant_b = "tenant-b" account_a = get_account_event(username=upn, uid="another-guid", utid=tenant_a, refresh_token=refresh_token_a) account_b = get_account_event(username=upn, uid="more-guid", utid=tenant_b, refresh_token=refresh_token_b) cache = populated_cache(account_a, account_b) # with no tenant specified the credential can't select an identity transport = Mock(side_effect=Exception()) # (so it shouldn't use the network) credential = SharedTokenCacheCredential(username=upn, _cache=cache, transport=transport) with pytest.raises(CredentialUnavailableError) as ex: await getattr(credential, get_token_method)("scope") assert ex.value.message.startswith(MULTIPLE_MATCHING_ACCOUNTS[: MULTIPLE_MATCHING_ACCOUNTS.index("{")]) assert upn in ex.value.message # with tenant specified, the credential should auth the matching account scope = "scope" transport = async_validating_transport( requests=[Request(required_data={"refresh_token": refresh_token_a, "scope": scope})], responses=[mock_response(json_payload=build_aad_response(access_token=access_token_a))], ) credential = SharedTokenCacheCredential(tenant_id=tenant_a, _cache=cache, transport=transport) token = await getattr(credential, get_token_method)(scope) assert token.token == access_token_a transport = async_validating_transport( requests=[Request(required_data={"refresh_token": refresh_token_b, "scope": scope})], responses=[mock_response(json_payload=build_aad_response(access_token=access_token_b))], ) credential = SharedTokenCacheCredential(tenant_id=tenant_b, _cache=cache, transport=transport) token = await getattr(credential, get_token_method)(scope) assert token.token == access_token_b @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_same_tenant_different_usernames(get_token_method): """two cached accounts, same tenant, different usernames""" access_token_a = "access-token-a" access_token_b = "access-token-b" refresh_token_a = "refresh-token-a" refresh_token_b = "refresh-token-b" upn_a = "spam@eggs" upn_b = "eggs@spam" tenant_id = "the-tenant" account_a = get_account_event(username=upn_a, uid="another-guid", utid=tenant_id, refresh_token=refresh_token_a) account_b = get_account_event(username=upn_b, uid="more-guid", utid=tenant_id, refresh_token=refresh_token_b) cache = populated_cache(account_a, account_b) # with no username specified the credential can't select an identity transport = Mock(side_effect=Exception()) # (so it shouldn't use the network) credential = SharedTokenCacheCredential(tenant_id=tenant_id, _cache=cache, transport=transport) with pytest.raises(CredentialUnavailableError) as ex: await getattr(credential, get_token_method)("scope") assert ex.value.message.startswith(MULTIPLE_MATCHING_ACCOUNTS[: MULTIPLE_MATCHING_ACCOUNTS.index("{")]) assert tenant_id in ex.value.message # with a username specified, the credential should auth the matching account scope = "scope" transport = async_validating_transport( requests=[Request(required_data={"refresh_token": refresh_token_b, "scope": scope})], responses=[mock_response(json_payload=build_aad_response(access_token=access_token_a))], ) credential = SharedTokenCacheCredential(username=upn_b, _cache=cache, transport=transport) token = await getattr(credential, get_token_method)(scope) assert token.token == access_token_a transport = async_validating_transport( requests=[Request(required_data={"refresh_token": refresh_token_a, "scope": scope})], responses=[mock_response(json_payload=build_aad_response(access_token=access_token_a))], ) credential = SharedTokenCacheCredential(username=upn_a, _cache=cache, transport=transport) token = await getattr(credential, get_token_method)(scope) assert token.token == access_token_a @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_authority_aliases(get_token_method): """the credential should use a refresh token valid for any known alias of its authority""" expected_access_token = "access-token" for authority in KNOWN_ALIASES: # cache a token for this authority expected_refresh_token = authority.replace(".", "") account = get_account_event( "spam@eggs", "uid", "tenant", authority=authority, refresh_token=expected_refresh_token ) cache = populated_cache(account) # the token should be acceptable for this authority itself transport = async_validating_transport( requests=[Request(authority=authority, required_data={"refresh_token": expected_refresh_token})], responses=[mock_response(json_payload=build_aad_response(access_token=expected_access_token))], ) credential = SharedTokenCacheCredential(authority=authority, _cache=cache, transport=transport) token = await getattr(credential, get_token_method)("scope") assert token.token == expected_access_token # it should also be acceptable for every known alias of this authority for alias in KNOWN_ALIASES[authority]: transport = async_validating_transport( requests=[Request(authority=alias, required_data={"refresh_token": expected_refresh_token})], responses=[mock_response(json_payload=build_aad_response(access_token=expected_access_token))], ) credential = SharedTokenCacheCredential(authority=alias, _cache=cache, transport=transport) token = await getattr(credential, get_token_method)("scope") assert token.token == expected_access_token @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_authority_with_no_known_alias(get_token_method): """given an appropriate token, an authority with no known aliases should work""" authority = "unknown.authority" expected_access_token = "access-token" expected_refresh_token = "refresh-token" account = get_account_event("spam@eggs", "uid", "tenant", authority=authority, refresh_token=expected_refresh_token) cache = populated_cache(account) transport = async_validating_transport( requests=[Request(authority=authority, required_data={"refresh_token": expected_refresh_token})], responses=[mock_response(json_payload=build_aad_response(access_token=expected_access_token))], ) credential = SharedTokenCacheCredential(authority=authority, _cache=cache, transport=transport) token = await getattr(credential, get_token_method)("scope") assert token.token == expected_access_token @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_authority_environment_variable(get_token_method): """the credential should accept an authority by environment variable when none is otherwise specified""" authority = "localhost" expected_access_token = "access-token" expected_refresh_token = "refresh-token" account = get_account_event("spam@eggs", "uid", "tenant", authority=authority, refresh_token=expected_refresh_token) cache = populated_cache(account) transport = async_validating_transport( requests=[Request(authority=authority, required_data={"refresh_token": expected_refresh_token})], responses=[mock_response(json_payload=build_aad_response(access_token=expected_access_token))], ) with patch.dict("os.environ", {EnvironmentVariables.AZURE_AUTHORITY_HOST: authority}, clear=True): credential = SharedTokenCacheCredential(transport=transport, _cache=cache) token = await getattr(credential, get_token_method)("scope") assert token.token == expected_access_token @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_initialization(get_token_method): """the credential should attempt to load the cache when it's needed and no cache has been established.""" with patch("azure.identity._persistent_cache._get_persistence") as mock_cache_loader: mock_cache_loader.side_effect = Exception("it didn't work") credential = SharedTokenCacheCredential() assert mock_cache_loader.call_count == 0 with pytest.raises(CredentialUnavailableError, match="Shared token cache unavailable"): await getattr(credential, get_token_method)("scope") assert mock_cache_loader.call_count == 1 with pytest.raises(CredentialUnavailableError, match="Shared token cache unavailable"): await getattr(credential, get_token_method)("scope") assert mock_cache_loader.call_count == 2 @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_initialization_with_cache_options(get_token_method): """the credential should use user-supplied persistence options""" with patch("azure.identity._internal.shared_token_cache._load_persistent_cache") as mock_cache_loader: options = TokenCachePersistenceOptions(name="foo.cache") credential = SharedTokenCacheCredential(cache_persistence_options=options) with pytest.raises(CredentialUnavailableError): await getattr(credential, get_token_method)("scope") assert mock_cache_loader.call_count == 1 @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_multitenant_authentication(get_token_method): first_token = "***" second_tenant = "second-tenant" second_token = first_token * 2 async def send(request, **kwargs): # ensure the `claims` and `tenant_id` keywords from credential's `get_token` method don't make it to transport assert "claims" not in kwargs assert "tenant_id" not in kwargs parsed = urlparse(request.url) tenant_id = parsed.path.split("/")[1] return mock_response( json_payload=build_aad_response( access_token=second_token if tenant_id == second_tenant else first_token, id_token_claims=id_token_claims(aud="...", iss="...", sub="..."), ) ) authority = "localhost" expected_account = get_account_event( "user", "object-id", "tenant-id", authority=authority, client_id="client-id", refresh_token="**" ) cache = populated_cache(expected_account) credential = SharedTokenCacheCredential( authority=authority, transport=Mock(send=send), _cache=cache, additionally_allowed_tenants=["*"] ) token = await getattr(credential, get_token_method)("scope") assert token.token == first_token kwargs = {"tenant_id": "organizations"} if get_token_method == "get_token_info": kwargs = {"options": kwargs} token = await getattr(credential, get_token_method)("scope", **kwargs) assert token.token == first_token kwargs = {"tenant_id": second_tenant} if get_token_method == "get_token_info": kwargs = {"options": kwargs} token = await getattr(credential, get_token_method)("scope", **kwargs) assert token.token == second_token # should still default to the first tenant token = await getattr(credential, get_token_method)("scope") assert token.token == first_token @pytest.mark.asyncio @pytest.mark.parametrize("get_token_method", GET_TOKEN_METHODS) async def test_multitenant_authentication_not_allowed(get_token_method): default_tenant = "organizations" expected_token = "***" async def send(request, **kwargs): # ensure the `claims` and `tenant_id` keywords from credential's `get_token` method don't make it to transport assert "claims" not in kwargs assert "tenant_id" not in kwargs parsed = urlparse(request.url) tenant_id = parsed.path.split("/")[1] assert tenant_id == default_tenant return mock_response( json_payload=build_aad_response( access_token=expected_token, id_token_claims=id_token_claims(aud="...", iss="...", sub="..."), ) ) authority = "localhost" expected_account = get_account_event( "user", "object-id", "tenant-id", authority=authority, client_id="client-id", refresh_token="**" ) cache = populated_cache(expected_account) credential = SharedTokenCacheCredential(authority=authority, transport=Mock(send=send), _cache=cache) token = await getattr(credential, get_token_method)("scope") assert token.token == expected_token kwargs = {"tenant_id": default_tenant} if get_token_method == "get_token_info": kwargs = {"options": kwargs} token = await getattr(credential, get_token_method)("scope", **kwargs) assert token.token == expected_token kwargs = {"tenant_id": "some_tenant"} if get_token_method == "get_token_info": kwargs = {"options": kwargs} with patch.dict("os.environ", {EnvironmentVariables.AZURE_IDENTITY_DISABLE_MULTITENANTAUTH: "true"}): token = await getattr(credential, get_token_method)("scope", **kwargs) assert token.token == expected_token