identity_vscode_credential #10840
Merged
identity_vscode_credential #10840
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
chlowell
reviewed
Apr 15, 2020
sdk/identity/azure-identity/azure/identity/_credentials/win_vscode_credential.py
Outdated
Show resolved
Hide resolved
sdk/identity/azure-identity/azure/identity/_credentials/win_vscode_credential.py
Outdated
Show resolved
Hide resolved
sdk/identity/azure-identity/tests/test_win_vscode_credential.py
Outdated
Show resolved
Hide resolved
sdk/identity/azure-identity/azure/identity/_credentials/win_vscode_credential.py
Outdated
Show resolved
Hide resolved
chlowell
reviewed
Apr 16, 2020
sdk/identity/azure-identity/tests/test_win_vscode_credential.py
Outdated
Show resolved
Hide resolved
chlowell
reviewed
Apr 16, 2020
sdk/identity/azure-identity/azure/identity/_credentials/linux_vscode_credential.py
Outdated
Show resolved
Hide resolved
chlowell
reviewed
Apr 29, 2020
sdk/identity/azure-identity/azure/identity/_credentials/linux_vscode_adapter.py
Outdated
Show resolved
Hide resolved
| raise CredentialUnavailableError( | ||
| message="No Azure user is logged in to Visual Studio Code." | ||
| ) | ||
| token = self._client.get_cached_access_token(scopes) |
There was a problem hiding this comment.
Shouldn't this go before trying to get a refresh token?
There was a problem hiding this comment.
If we fail to get a refresh token (which means the user may have logged out), why we should still return a valid token if there is one stored?
There was a problem hiding this comment.
The point is perhaps moot because get_token is usually called by an auth policy which caches access tokens itself. There will typically be a period of minutes--during which authorization will succeed--between a user signing out and the next get_token call.
Still, you ask a good question. Here's a couple things to think about in answering it:
- Access tokens aren't connected to refresh tokens. They're valid for their (short) lifetimes even after the refresh token used to acquire them expires or is revoked.
- In this scenario the user has signed out but left a program running. The program has tried to send a service request. Which is more surprising to the user: the request succeeding, or failing?
There's another interesting case here. The user can change the signed in identity between two calls to get_token. That suggests an argument for having get_token always redeem the refresh token, if any, for a new access token, although I don't think users should expect changing identities midstream to pass without error. Redeeming the refresh token every time also raises another issue: when we redeem a refresh token, AAD may return us a new one and invalidate the one we sent. We don't contribute this new refresh token back to VS Code. That means our credential can invalidate the Azure Account extension's refresh token but itself continue to succeed and I guess we then recurse on "what happens if the user signs out of the extension?" 😸
I'm trying to get all the food for thought here down on this page, sorry for all the words. Personally I now lean toward:
- forget caching in this credential; leave it up to the auth policy
- if the user signs out or changes the signed in identity, we make no promises: undefined behavior ahead
- iterate following feedback
Anyone else have thoughts?
There was a problem hiding this comment.
In this scenario the user has signed out but left a program running. The program has tried to send a service request. Which is more surprising to the user: the request succeeding, or failing?
I think the choices are failing immediately or failing in a few minutes. I lean toward failing immediately because
- It is deterministic
- It is easier to diagnose.
annatisch
reviewed
Apr 29, 2020
|
|
||
|
|
||
| def _c_str(string): | ||
| return ct.c_char_p(string.encode('utf-8')) |
There was a problem hiding this comment.
It seems this is used for service name and account name - service name is probably okay, but is there any change that an account name might not be utf8?
There was a problem hiding this comment.
This is a good question and I don't have an answer. I opened #11135 to track it.
There was a problem hiding this comment.
Yes. I discussed with Anna offline. We assume this is utf8. We will try if we can find a way to test it.
annatisch
reviewed
Apr 29, 2020
sdk/identity/azure-identity/azure/identity/_credentials/linux_vscode_adapter.py
Show resolved
Hide resolved
annatisch
reviewed
Apr 29, 2020
sdk/identity/azure-identity/azure/identity/_credentials/linux_vscode_adapter.py
Outdated
Show resolved
Hide resolved
lmazuel
reviewed
Apr 29, 2020
|
|
||
|
|
||
| try: | ||
| _libsecret = ct.cdll.LoadLibrary('libsecret-1.so.0') |
There was a problem hiding this comment.
Do we want a message if the lib is not available, to do something like sudo apt-get install libsecret-1-0 or something?
There was a problem hiding this comment.
In fact, this credential is usually used in DefaultCredential which is a chain of credentials. If one does not work, it will try next one. So if libsecret-1-0 is not installed, we prefer just skip this one and go to next credential rather than failing.
There was a problem hiding this comment.
In other words, if libsecret-1-0 is not installed, the feature is disabled silently.
There was a problem hiding this comment.
Re-thinking this, I guess if they have vscode the lib is available, or maybe vscode embed it to save their credentials?
There was a problem hiding this comment.
Azure connectors (e.g. azure-account, azure-storage, etc.) are vs code extensions. User can use VS code w/o them. Given this case, user uses vs code w/o Azure extensions. (and libsecret-1-0 is not installed). We should just not do anything, right?
There was a problem hiding this comment.
I got my answer:
$ dpkg -I /mnt/c/Users/lmazuel/Downloads/code_1.44.2-1587059832_amd64.deb
new Debian package, version 2.0.
size 62335842 bytes: control archive=2325 bytes.
705 bytes, 14 lines control
2909 bytes, 73 lines * postinst #!/usr/bin/env
189 bytes, 5 lines * postrm #!/bin/bash
274 bytes, 6 lines * prerm #!/usr/bin/env
Package: code
Version: 1.44.2-1587059832
Section: devel
Depends: libnotify4, libnss3 (>= 2:3.26), gnupg, apt, libxkbfile1, libsecret-1-0, libgtk-3-0 (>= 3.10.0), libxss1
Priority: optional
Architecture: amd64
Maintainer: Microsoft Corporation <[email protected]>
Homepage: https://code.visualstudio.com/
Installed-Size: 259118
Provides: visual-studio-code
Conflicts: visual-studio-code
Replaces: visual-studio-code
Description: Code editing. Redefined.
Visual Studio Code is a new choice of tool that combines the simplicity of a code editor with what developers need for the core edit-build-debug cycle. See https://code.visualstudio.com/docs/setup/linux for installation instructions and FAQ.
This means libsecret will be installed if you have vscode
lmazuel
reviewed
Apr 30, 2020
| return None | ||
| schema = _libsecret.secret_schema_new(_c_str("org.freedesktop.Secret.Generic"), 2, | ||
| _c_str("service"), 0, _c_str("account"), 0, None) | ||
| p_str = _libsecret.secret_password_lookup_sync(schema, None, None, _c_str("service"), _c_str(service_name), |
There was a problem hiding this comment.
You're passing None for the third parameter, you're not checking the error. From the testbase of libsecret
static void
test_lookup_no_name (Test *test,
gconstpointer used)
{
GError *error = NULL;
gchar *password;
/* should return null, because nothing with mock schema and 5 */
password = secret_password_lookup_sync (&MOCK_SCHEMA, NULL, &error,
"number", 5,
NULL);
g_assert_no_error (error);
g_assert (password == NULL);
/* should return an item, because we have a prime schema with 5, and flags not to match name */
password = secret_password_lookup_sync (&NO_NAME_SCHEMA, NULL, &error,
"number", 5,
NULL);
g_assert_no_error (error);
g_assert_cmpstr (password, ==, "555");
secret_password_free (password);
}There was a problem hiding this comment.
I'm keen to see the coredump on 2.7 ;)
lmazuel
reviewed
Apr 30, 2020
| _c_str("service"), 0, _c_str("account"), 0, None) | ||
| p_str = _libsecret.secret_password_lookup_sync(schema, None, None, _c_str("service"), _c_str(service_name), | ||
| _c_str("account"), _c_str(account_name), None) | ||
| return ct.c_char_p(p_str).value.decode('utf-8') |
There was a problem hiding this comment.
Is this an actual password that could be utf8, or an ascii token?
There was a problem hiding this comment.
We tried some real ones and they were utf8.
lmazuel
reviewed
Apr 30, 2020
sdk/identity/azure-identity/azure/identity/_credentials/linux_vscode_adapter.py
Show resolved
Hide resolved
chlowell
reviewed
Apr 30, 2020
sdk/identity/azure-identity/azure/identity/_credentials/linux_vscode_adapter.py
Show resolved
Hide resolved
chlowell
reviewed
Apr 30, 2020
lmazuel
approved these changes
Apr 30, 2020
|
Could you please format this with |
Merged
xiangyan99
added a commit
that referenced
this pull request
May 1, 2020
* [DataLake][Bug]Upload is not working with umask and permissions (#10845) * Add force generation to SwaggerToSdk (#10933) * [formrecognizer] edits to docstrings (#11003) * edits to docstrings * correct date * updating setup template (#11022) * [formrecognizer] handle unsupervised pages better with service bug (#11017) * handle unsupervised pages better * python 2 oops * Increment package version after release of azure_ai_formrecognizer (#11026) * add regular endpoint in new env variable (#11031) * Update Ubuntu VM Image to 18.04 (#11032) * updating the VM image, need to update the recording as well. * update release * fixing merge error (#11039) * Fixing compute test (#11036) * trigger test * Packaging update of azure-mgmt-compute * fix test * fix * fix duplicated comment Co-authored-by: Azure SDK Bot <[email protected]> * Servicebus - Track2 - Remove timeout from Send (#11002) * With retry options available, send should no longer require its own timeout. Removes the parameter from sync and async clients, adds a note to changelog about the delta. * rename SearchIndexClient -> SearchClient (#10964) * Implementation for Datasources operations (#11012) * Initial Commit * lint + mypy * tests * recordings update * Apply suggestions from code review * typo * remove datasource * lint * rename to get_datasources Co-authored-by: Bryan Van de Ven <[email protected]> * [ServiceBus] Update for readme and sample (#11047) * tweak sample code * update according to comment * add aad sample in readme * Update sdk/servicebus/azure-servicebus/README.md Co-Authored-By: KieranBrantnerMagee <[email protected]> Co-authored-by: KieranBrantnerMagee <[email protected]> * Fix pip link in azure-keyvault-secrets readme (#11056) * fixed alternative document input samples (#11078) * Add sync/async samples to demonstrate consuming from a number of sessions at one time. (#11001) * Add sync/async samples to demonstrate consuming from a number of sessions at one time. * Add informational message to session pool samples regarding the exit condition and how it manifests. * [ServiceBus] Settle non-deferred message through receiver link (#10800) * settle non-deferred message through receiver link except dead_letter * revert dead-letter back to t1 as well * improve settlement and put is_deferred_letter into kwargs * add test * update according to comment * fix a bug in dead_letter through receiver_link * Search README issues (#11082) * fix for azure.search.documents change * indentation, naming * SearchIndexClient -> SearchClient * Update README.md (#11084) * [ServiceBus] Remove exception from __init__.py (#11080) * remove exception from __init__.py * update changelog, fix some docstring and sample error * Pin astroid to 2.3.3 to fix pylint failure (#11088) * Lint error in cosmos (#11092) * Fix TYPING cycles if TYPE_CHECKING manually forced (#10799) * Improve mypy typing for azure core (#10653) * first commit * more changes * few changes * lint * comments * more changes * fix test * lint * mypy * comments * changes * async polling method * async * Accept authority option with or without scheme (#11050) * Split Search Service Client (#11090) * split datasources client * split skillsets client * split synonym maps client * split indexes client * cleanup * [text analytics] Add how to get json response to sample (#11102) * ARM default whitelist headers (#10940) * ARM default whitelist headers * ChangeLog * Typo * Syntax error * Update sdk/core/azure-mgmt-core/CHANGELOG.md Co-Authored-By: Jiashuo Li <[email protected]> * More headers Co-authored-by: Jiashuo Li <[email protected]> * update version (#11106) * Return pageable for Search list_indexes (#11125) * Adjust README with comments from the per-release doc review. (#11110) * Adjust README with comments from the per-release doc review. * Make additional breadcrumb to samples higher in the page, duplication is OKd (and even recommended) in this case. * Removed spurious FIFO reference. * Added a note about preview vs. existing docs, with breadcrumb to existing libs. * Make 0.50 doc links more specific. * [Event Hubs] add enqueueTime to Process span links (#10932) * remove formatter in samples/readme.md to prevent preview samples being published (#10884) * [DataLake]Update ChangeLog (#11133) * Add capability to send multiple events in one Send() call. (#11093) * Add the ability for send to take a list of messages, failing if they don't fit in a single batch to maintain idempotency. * Adds tests for multisend. * Puts details of multisend into the changelog. * Adjust docstring type definition for send() async. * Make test more targeted (256KB) for too-large validation. * Create batch helper to create from list. * Adjust docstrings to point to proper exception location instead of under common. * Fix failing unit test expecting the old send error type. * Remove test segments that will likely never be readded (queue message) and make docstring type inputs for send() more precise. * Set time out to 90 mins for regression test (#11105) * Autorest check to run tests in autorestv3 branch for core (#11131) * Autorest CI changes to use autorestv3 * Add DeleteAfter tag to Search test resource groups (#11136) * add DeleteAfter tag to RG * update recordings * Increment version for storage releases (#11138) * Increment package version after release of azure_storage_blob * Increment package version after release of azure_storage_file_datalake * [Event Hubs] `EventHubProducerClient.send_batch` accepts a list of EventData (#11079) * add ServiceDirectory to usage of remove-test-resources.yml (#11117) * resume subscriptions test (#11111) * resume subscriptions test * recording subscriptions * Adding test for signalr (#11146) * generated signalr test * generated recording * Packaging update of azure-mgmt-signalr Co-authored-by: Azure SDK Bot <[email protected]> * update live tests yml + add form (#11139) * [Service Bus] Exception Handling review (#11060) * [form recognizer] add repr (#11150) * [ServiceBus] Support for scheduling and cancellation (#11095) * make schedule a property on the message * make send api public * schedule and cancellation * remove iterable type hint and docstring * update implementation * update comment * update docs * Update sdk/servicebus/azure-servicebus/CHANGELOG.md Co-authored-by: KieranBrantnerMagee <[email protected]> Co-authored-by: KieranBrantnerMagee <[email protected]> * identity_vscode_credential (#10840) * identity_win_vscode_credential Co-authored-by: Charles Lowell <[email protected]> * Sync eng/common directory with azure-sdk-tools repository (#11007) * ChangeLog generics for autorest v5 (#10885) * ChangeLog generics for autorest v5 * Update changelog_generics.md * [Event Hubs] Add params in stress test command line for receive batch and send list (#11161) * Storageache cjf (#11122) * Update from master * release azure-mgmt-storagecache * Update CHANGELOG.md * Packaging update of azure-mgmt-storagecache Co-authored-by: SDK Automation <[email protected]> Co-authored-by: Your Name <[email protected]> Co-authored-by: Azure SDK Bot <[email protected]> * added AzureKeyCredential link to readme (#11089) * Fix core auth (#11177) * [Azure-Core]Auth Header missing when token credential is not expired * Fix mypy * Test we put the header even if we didn't tech a new token Co-authored-by: xiafu <[email protected]> * [formrecognizer] increase test coverage (#11096) * working on more tests * add multipage tests for custom form and training * adding multipage tests * fix * add tests for bad input into custom analyze * remove test dependency on storage * update tests.yml * fix for custom analyze url unlabeled tests * update changelog * review feedback * pushing a commit to reset CI * Release edits for Search (#11178) * fix README typo * Getting started section order * add first search request subsection * update CHANGELOG * update readme with note about service version support (#11180) * [Event Hubs] Fix a bug that sets owner level 0 (#11172) * [ServiceBus] Docstring and Changelog adjustment (#11166) * Identity use pbyte (#11173) * identity_vscode_cred_format * EnvironmentCredential correctly initializes UsernamePasswordCredential (#11127) * User authentication API for applications (#10612) * [Event Hubs] Version/Docs adjustment for 5.1.0 (#11179) * [form recognizer] Add some stuff that .net has to our samples (#11187) * re-enable schedule tests in session (#11184) * add helpers for search fields (#11164) * add helpers for search fields * pylint * fix annotation * Define match conditions for CreateOrUpdate and Delete operations (#11116) * sync * async * lint * Update sdk/search/azure-search-documents/azure/search/documents/_service/_datasources_client.py * tests fix * use match conditiond * error map * fix test * lint * comments * test_utils * Update sdk/search/azure-search-documents/azure/search/documents/_service/_utils.py * Update sdk/search/azure-search-documents/azure/search/documents/_service/_utils.py Co-authored-by: Johan Stenberg (MSFT) <[email protected]> * Update sdk/search/azure-search-documents/azure/search/documents/_service/_utils.py * Revert "Update sdk/search/azure-search-documents/azure/search/documents/_service/_utils.py" This reverts commit b0ca117. * fix * more changes Co-authored-by: Johan Stenberg (MSFT) <[email protected]> Co-authored-by: Xiaoxi Fu <[email protected]> Co-authored-by: Laurent Mazuel <[email protected]> Co-authored-by: Krista Pratico <[email protected]> Co-authored-by: Zim Kalinowski <[email protected]> Co-authored-by: Azure SDK Bot <[email protected]> Co-authored-by: iscai-msft <[email protected]> Co-authored-by: Scott Beddall <[email protected]> Co-authored-by: Azure SDK Bot <[email protected]> Co-authored-by: KieranBrantnerMagee <[email protected]> Co-authored-by: Bryan Van de Ven <[email protected]> Co-authored-by: Rakshith Bhyravabhotla <[email protected]> Co-authored-by: Adam Ling (MSFT) <[email protected]> Co-authored-by: Charles Lowell <[email protected]> Co-authored-by: praveenkuttappan <[email protected]> Co-authored-by: Rakshith Bhyravabhotla <[email protected]> Co-authored-by: Jiashuo Li <[email protected]> Co-authored-by: Yijun Xie <[email protected]> Co-authored-by: Daniel Jurek <[email protected]> Co-authored-by: changlong-liu <[email protected]> Co-authored-by: 陈箭飞 <[email protected]> Co-authored-by: SDK Automation <[email protected]> Co-authored-by: Your Name <[email protected]> Co-authored-by: xiafu <[email protected]> Co-authored-by: Johan Stenberg (MSFT) <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.