prevent leaking MSAL exceptions

sdk/identity/azure-identity/azure/identity/_internal/__init__.py

@@ -3,5 +3,6 @@
 # Licensed under the MIT License.
 # ------------------------------------
 from .auth_code_redirect_handler import AuthCodeRedirectServer
+from .exception_wrapper import wrap_exceptions
 from .msal_credentials import ConfidentialClientCredential, PublicClientCredential
 from .msal_transport_adapter import MsalTransportAdapter, MsalTransportResponse

sdk/identity/azure-identity/azure/identity/_internal/exception_wrapper.py

@@ -0,0 +1,25 @@
+# ------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# ------------------------------------
+import functools
+
+from six import raise_from
+
+from azure.core.exceptions import ClientAuthenticationError
+
+
+def wrap_exceptions(fn):
+    """Prevents leaking exceptions defined outside azure-core by raising ClientAuthenticationError from them."""
+
+    @functools.wraps(fn)
+    def wrapper(*args, **kwargs):
+        try:
+            return fn(*args, **kwargs)
+        except ClientAuthenticationError:
+            raise
+        except Exception as ex:
+            auth_error = ClientAuthenticationError(message="Authentication failed: {}".format(ex))
+            raise_from(auth_error, ex)
+
+    return wrapper

sdk/identity/azure-identity/azure/identity/_internal/msal_credentials.py

@@ -12,6 +12,7 @@
 from azure.core.credentials import AccessToken
 from azure.core.exceptions import ClientAuthenticationError
 
+from .exception_wrapper import wrap_exceptions
 from .msal_transport_adapter import MsalTransportAdapter
 
 try:
@@ -75,6 +76,7 @@ def _create_app(self, cls):
 class ConfidentialClientCredential(MsalCredential):
     """Wraps an MSAL ConfidentialClientApplication with the TokenCredential API"""
 
+    @wrap_exceptions
     def get_token(self, *scopes):
         # type: (str) -> AccessToken
 

sdk/identity/azure-identity/azure/identity/browser_auth.py

@@ -18,7 +18,7 @@
 from azure.core.credentials import AccessToken
 from azure.core.exceptions import ClientAuthenticationError
 
-from ._internal import AuthCodeRedirectServer, ConfidentialClientCredential
+from ._internal import AuthCodeRedirectServer, ConfidentialClientCredential, wrap_exceptions
 
 
 class InteractiveBrowserCredential(ConfidentialClientCredential):
@@ -48,6 +48,7 @@ def __init__(self, client_id, client_secret, **kwargs):
             client_id=client_id, client_credential=client_secret, authority=authority, **kwargs
         )
 
+    @wrap_exceptions
     def get_token(self, *scopes):
         # type: (str) -> AccessToken
         """

sdk/identity/azure-identity/azure/identity/credentials.py

@@ -15,7 +15,7 @@
 
 from ._authn_client import AuthnClient
 from ._base import ClientSecretCredentialBase, CertificateCredentialBase
-from ._internal import PublicClientCredential
+from ._internal import PublicClientCredential, wrap_exceptions
 from ._managed_identity import ImdsCredential, MsiCredential
 from .constants import Endpoints, EnvironmentVariables
 
@@ -285,6 +285,7 @@ def __init__(self, client_id, prompt_callback=None, **kwargs):
         self._prompt_callback = prompt_callback
         super(DeviceCodeCredential, self).__init__(client_id=client_id, **kwargs)
 
+    @wrap_exceptions
     def get_token(self, *scopes):
         # type (*str) -> AccessToken
         """
@@ -358,6 +359,7 @@ def __init__(self, client_id, username, password, **kwargs):
         self._username = username
         self._password = password
 
+    @wrap_exceptions
     def get_token(self, *scopes):
         # type (*str) -> AccessToken
         """

sdk/identity/azure-identity/setup.py

@@ -69,6 +69,6 @@
             "azure",
         ]
     ),
-    install_requires=["azure-core<2.0.0,>=1.0.0b1", "cryptography>=2.1.4", "msal~=0.4.1"],
+    install_requires=["azure-core<2.0.0,>=1.0.0b1", "cryptography>=2.1.4", "msal~=0.4.1", "six>=1.6"],
     extras_require={":python_version<'3.0'": ["azure-nspkg"], ":python_version<'3.5'": ["typing"]},
 )