From cfaca65cc55950f7d7ea567db76f5b17f7cd0e3e Mon Sep 17 00:00:00 2001 From: Charles Lowell Date: Mon, 19 Jul 2021 11:28:57 -0700 Subject: [PATCH] AZURE_POD_IDENTITY_AUTHORITY_HOST --- sdk/identity/azure-identity/CHANGELOG.md | 5 +++++ .../azure-identity/azure/identity/_constants.py | 2 +- .../azure/identity/_credentials/imds.py | 11 ++++++++--- .../azure/identity/aio/_credentials/imds.py | 2 +- .../azure-identity/tests/test_imds_credential.py | 14 +++++++------- .../tests/test_imds_credential_async.py | 14 +++++++------- .../azure-identity/tests/test_managed_identity.py | 8 ++++---- .../tests/test_managed_identity_async.py | 10 +++++----- 8 files changed, 38 insertions(+), 28 deletions(-) diff --git a/sdk/identity/azure-identity/CHANGELOG.md b/sdk/identity/azure-identity/CHANGELOG.md index 347fc411901e..b4d207531630 100644 --- a/sdk/identity/azure-identity/CHANGELOG.md +++ b/sdk/identity/azure-identity/CHANGELOG.md @@ -5,6 +5,11 @@ ### Features Added ### Breaking Changes +> These changes do not impact the API of stable versions such as 1.6.0. +> Only code written against a beta version such as 1.7.0b1 may be affected. +- Renamed `AZURE_POD_IDENTITY_TOKEN_URL` to `AZURE_POD_IDENTITY_AUTHORITY_HOST`. + The value should now be a host, for example "http://169.254.169.254" (the + default). ### Bugs Fixed diff --git a/sdk/identity/azure-identity/azure/identity/_constants.py b/sdk/identity/azure-identity/azure/identity/_constants.py index 8fce2c892eda..7766f6b82834 100644 --- a/sdk/identity/azure-identity/azure/identity/_constants.py +++ b/sdk/identity/azure-identity/azure/identity/_constants.py @@ -35,7 +35,7 @@ class EnvironmentVariables: AZURE_PASSWORD = "AZURE_PASSWORD" USERNAME_PASSWORD_VARS = (AZURE_CLIENT_ID, AZURE_USERNAME, AZURE_PASSWORD) - AZURE_POD_IDENTITY_TOKEN_URL = "AZURE_POD_IDENTITY_TOKEN_URL" + AZURE_POD_IDENTITY_AUTHORITY_HOST = "AZURE_POD_IDENTITY_AUTHORITY_HOST" IDENTITY_ENDPOINT = "IDENTITY_ENDPOINT" IDENTITY_HEADER = "IDENTITY_HEADER" IDENTITY_SERVER_THUMBPRINT = "IDENTITY_SERVER_THUMBPRINT" diff --git a/sdk/identity/azure-identity/azure/identity/_credentials/imds.py b/sdk/identity/azure-identity/azure/identity/_credentials/imds.py index 4380c38d899f..ca385eeecb7e 100644 --- a/sdk/identity/azure-identity/azure/identity/_credentials/imds.py +++ b/sdk/identity/azure-identity/azure/identity/_credentials/imds.py @@ -20,7 +20,8 @@ from typing import Any, Optional from azure.core.credentials import AccessToken -IMDS_URL = "http://169.254.169.254/metadata/identity/oauth2/token" +IMDS_AUTHORITY = "http://169.254.169.254" +IMDS_TOKEN_PATH = "/metadata/identity/oauth2/token" PIPELINE_SETTINGS = { "connection_timeout": 2, @@ -33,7 +34,11 @@ def get_request(scope, identity_config): - request = HttpRequest("GET", os.environ.get(EnvironmentVariables.AZURE_POD_IDENTITY_TOKEN_URL, IMDS_URL)) + url = ( + os.environ.get(EnvironmentVariables.AZURE_POD_IDENTITY_AUTHORITY_HOST, IMDS_AUTHORITY).strip("/") + + IMDS_TOKEN_PATH + ) + request = HttpRequest("GET", url) request.format_parameters(dict({"api-version": "2018-02-01", "resource": scope}, **identity_config)) return request @@ -44,7 +49,7 @@ def __init__(self, **kwargs): super(ImdsCredential, self).__init__() self._client = ManagedIdentityClient(get_request, **dict(PIPELINE_SETTINGS, **kwargs)) - if EnvironmentVariables.AZURE_POD_IDENTITY_TOKEN_URL in os.environ: + if EnvironmentVariables.AZURE_POD_IDENTITY_AUTHORITY_HOST in os.environ: self._endpoint_available = True # type: Optional[bool] else: self._endpoint_available = None diff --git a/sdk/identity/azure-identity/azure/identity/aio/_credentials/imds.py b/sdk/identity/azure-identity/azure/identity/aio/_credentials/imds.py index 9274adf6aea5..1c32419673cc 100644 --- a/sdk/identity/azure-identity/azure/identity/aio/_credentials/imds.py +++ b/sdk/identity/azure-identity/azure/identity/aio/_credentials/imds.py @@ -24,7 +24,7 @@ def __init__(self, **kwargs: "Any") -> None: super().__init__() self._client = AsyncManagedIdentityClient(get_request, **PIPELINE_SETTINGS, **kwargs) - if EnvironmentVariables.AZURE_POD_IDENTITY_TOKEN_URL in os.environ: + if EnvironmentVariables.AZURE_POD_IDENTITY_AUTHORITY_HOST in os.environ: self._endpoint_available = True # type: Optional[bool] else: self._endpoint_available = None diff --git a/sdk/identity/azure-identity/tests/test_imds_credential.py b/sdk/identity/azure-identity/tests/test_imds_credential.py index 8a771496ec43..4093fac4ad6f 100644 --- a/sdk/identity/azure-identity/tests/test_imds_credential.py +++ b/sdk/identity/azure-identity/tests/test_imds_credential.py @@ -10,7 +10,7 @@ from azure.identity import CredentialUnavailableError from azure.identity._constants import EnvironmentVariables -from azure.identity._credentials.imds import ImdsCredential, IMDS_URL, PIPELINE_SETTINGS +from azure.identity._credentials.imds import IMDS_TOKEN_PATH, ImdsCredential, IMDS_AUTHORITY, PIPELINE_SETTINGS from azure.identity._internal.user_agent import USER_AGENT import pytest @@ -147,9 +147,9 @@ def test_identity_config(): scope = "scope" transport = validating_transport( requests=[ - Request(base_url=IMDS_URL), + Request(base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH), Request( - base_url=IMDS_URL, + base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH, method="GET", required_headers={"Metadata": "true", "User-Agent": USER_AGENT}, required_params={"api-version": "2018-02-01", "resource": scope, param_name: param_value}, @@ -177,8 +177,8 @@ def test_identity_config(): assert token == expected_token -def test_imds_url_override(): - url = "https://localhost/token" +def test_imds_authority_override(): + authority = "https://localhost" expected_token = "***" scope = "scope" now = int(time.time()) @@ -186,7 +186,7 @@ def test_imds_url_override(): transport = validating_transport( requests=[ Request( - base_url=url, + base_url=authority + IMDS_TOKEN_PATH, method="GET", required_headers={"Metadata": "true", "User-Agent": USER_AGENT}, required_params={"api-version": "2018-02-01", "resource": scope}, @@ -207,7 +207,7 @@ def test_imds_url_override(): ], ) - with mock.patch.dict("os.environ", {EnvironmentVariables.AZURE_POD_IDENTITY_TOKEN_URL: url}, clear=True): + with mock.patch.dict("os.environ", {EnvironmentVariables.AZURE_POD_IDENTITY_AUTHORITY_HOST: authority}, clear=True): credential = ImdsCredential(transport=transport) token = credential.get_token(scope) diff --git a/sdk/identity/azure-identity/tests/test_imds_credential_async.py b/sdk/identity/azure-identity/tests/test_imds_credential_async.py index e7ce37dc4669..c78aa284b0a4 100644 --- a/sdk/identity/azure-identity/tests/test_imds_credential_async.py +++ b/sdk/identity/azure-identity/tests/test_imds_credential_async.py @@ -10,7 +10,7 @@ from azure.core.exceptions import ClientAuthenticationError from azure.identity import CredentialUnavailableError from azure.identity._constants import EnvironmentVariables -from azure.identity._credentials.imds import IMDS_URL +from azure.identity._credentials.imds import IMDS_AUTHORITY, IMDS_TOKEN_PATH from azure.identity._internal.user_agent import USER_AGENT from azure.identity.aio._credentials.imds import ImdsCredential, PIPELINE_SETTINGS import pytest @@ -182,9 +182,9 @@ async def test_identity_config(): transport = async_validating_transport( requests=[ - Request(base_url=IMDS_URL), + Request(base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH), Request( - base_url=IMDS_URL, + base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH, method="GET", required_headers={"Metadata": "true", "User-Agent": USER_AGENT}, required_params={"api-version": "2018-02-01", "resource": scope, param_name: param_value}, @@ -212,8 +212,8 @@ async def test_identity_config(): assert token == expected_token -async def test_imds_url_override(): - url = "https://localhost/token" +async def test_imds_authority_override(): + authority = "https://localhost" expected_token = "***" scope = "scope" now = int(time.time()) @@ -221,7 +221,7 @@ async def test_imds_url_override(): transport = async_validating_transport( requests=[ Request( - base_url=url, + base_url=authority + IMDS_TOKEN_PATH, method="GET", required_headers={"Metadata": "true", "User-Agent": USER_AGENT}, required_params={"api-version": "2018-02-01", "resource": scope}, @@ -242,7 +242,7 @@ async def test_imds_url_override(): ], ) - with mock.patch.dict("os.environ", {EnvironmentVariables.AZURE_POD_IDENTITY_TOKEN_URL: url}, clear=True): + with mock.patch.dict("os.environ", {EnvironmentVariables.AZURE_POD_IDENTITY_AUTHORITY_HOST: authority}, clear=True): credential = ImdsCredential(transport=transport) token = await credential.get_token(scope) diff --git a/sdk/identity/azure-identity/tests/test_managed_identity.py b/sdk/identity/azure-identity/tests/test_managed_identity.py index daec08b10764..a4b624952294 100644 --- a/sdk/identity/azure-identity/tests/test_managed_identity.py +++ b/sdk/identity/azure-identity/tests/test_managed_identity.py @@ -15,7 +15,7 @@ from azure.core.pipeline.transport import HttpRequest from azure.identity import ManagedIdentityCredential from azure.identity._constants import EnvironmentVariables -from azure.identity._credentials.imds import IMDS_URL +from azure.identity._credentials.imds import IMDS_AUTHORITY, IMDS_TOKEN_PATH from azure.identity._internal.managed_identity_client import ManagedIdentityClient from azure.identity._internal.user_agent import USER_AGENT import pytest @@ -438,9 +438,9 @@ def test_imds(): scope = "scope" transport = validating_transport( requests=[ - Request(base_url=IMDS_URL), # first request should be availability probe => match only the URL + Request(base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH), Request( - base_url=IMDS_URL, + base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH, method="GET", required_headers={"Metadata": "true", "User-Agent": USER_AGENT}, required_params={"api-version": "2018-02-01", "resource": scope}, @@ -532,7 +532,7 @@ def test_imds_user_assigned_identity(): access_token = "****" expires_on = 42 expected_token = AccessToken(access_token, expires_on) - endpoint = IMDS_URL + endpoint = IMDS_AUTHORITY + IMDS_TOKEN_PATH scope = "scope" client_id = "some-guid" transport = validating_transport( diff --git a/sdk/identity/azure-identity/tests/test_managed_identity_async.py b/sdk/identity/azure-identity/tests/test_managed_identity_async.py index 950d74329b40..e20d2c25acf7 100644 --- a/sdk/identity/azure-identity/tests/test_managed_identity_async.py +++ b/sdk/identity/azure-identity/tests/test_managed_identity_async.py @@ -11,7 +11,7 @@ from azure.core.pipeline.transport import HttpRequest from azure.identity.aio import ManagedIdentityCredential from azure.identity.aio._internal.managed_identity_client import AsyncManagedIdentityClient -from azure.identity._credentials.imds import IMDS_URL +from azure.identity._credentials.imds import IMDS_AUTHORITY, IMDS_TOKEN_PATH from azure.identity._constants import EnvironmentVariables from azure.identity._internal.user_agent import USER_AGENT @@ -499,9 +499,9 @@ async def test_imds(): scope = "scope" transport = async_validating_transport( requests=[ - Request(base_url=IMDS_URL), # first request should be availability probe => match only the URL + Request(base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH), Request( - base_url=IMDS_URL, + base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH, method="GET", required_headers={"Metadata": "true", "User-Agent": USER_AGENT}, required_params={"api-version": "2018-02-01", "resource": scope}, @@ -539,9 +539,9 @@ async def test_imds_user_assigned_identity(): client_id = "some-guid" transport = async_validating_transport( requests=[ - Request(base_url=IMDS_URL), # first request should be availability probe => match only the URL + Request(base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH), Request( - base_url=IMDS_URL, + base_url=IMDS_AUTHORITY + IMDS_TOKEN_PATH, method="GET", required_headers={"Metadata": "true", "User-Agent": USER_AGENT}, required_params={"api-version": "2018-02-01", "client_id": client_id, "resource": scope},