Skip to content

Commit

Permalink
Remove ManagedServiceAccessToken (Azure#14961)
Browse files Browse the repository at this point in the history 
* Remove ManagedServiceAccessToken

* Add breaking change exceptions for Connect-AzAccount

* Add breaking change exception for Connect-AzAccount
  • Loading branch information
@erich-wang
erich-wang authored May 13, 2021
1 parent 0747413 commit da02fe9
Show file tree
Hide file tree
Showing 10 changed files with 8 additions and 661 deletions.
64 changes: 2 additions & 62 deletions src/Accounts/Accounts/Account/ConnectAzureRmAccount.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ public class ConnectAzureRmAccountCommand : AzureContextModificationCmdlet, IMod
public const string MSISecretVariable = "MSI_SECRET";
public const int DefaultMaxContextPopulation = 25;
public const string DefaultMaxContextPopulationString = "25";
private const int DefaultManagedServicePort = 50342;

private IAzureEnvironment _environment;

Expand Down Expand Up @@ -127,19 +128,6 @@ public class ConnectAzureRmAccountCommand : AzureContextModificationCmdlet, IMod
[Alias("MSI", "ManagedService")]
public SwitchParameter Identity { get; set; }

[Parameter(ParameterSetName = ManagedServiceParameterSet, Mandatory = false, HelpMessage = "Obsolete. To use customized MSI endpoint, please set environment variable MSI_ENDPOINT, e.g. \"http://localhost:50342/oauth2/token\". Port number for managed service login.")]
[PSDefaultValue(Help = "50342", Value = 50342)]
public int ManagedServicePort { get; set; } = 50342;

[Parameter(ParameterSetName = ManagedServiceParameterSet, Mandatory = false, HelpMessage = "Obsolete. To use customized MSI endpoint, please set environment variable MSI_ENDPOINT, e.g. \"http://localhost:50342/oauth2/token\". Host name for managed service login.")]
[PSDefaultValue(Help = "localhost", Value = "localhost")]
public string ManagedServiceHostName { get; set; } = "localhost";

[Parameter(ParameterSetName = ManagedServiceParameterSet, Mandatory = false, HelpMessage = "Obsolete. To use customized MSI secret, please set environment variable MSI_SECRET. Secret, used for some kinds of managed service login.")]
[ValidateNotNullOrEmpty]
public SecureString ManagedServiceSecret { get; set; }


[Alias("SubscriptionName", "SubscriptionId")]
[Parameter(ParameterSetName = UserParameterSet,
Mandatory = false, HelpMessage = "Subscription Name or ID", ValueFromPipeline = true)]
Expand Down Expand Up @@ -318,55 +306,7 @@ public override void ExecuteCmdlet()
break;
case ManagedServiceParameterSet:
azureAccount.Type = AzureAccount.AccountType.ManagedService;
var builder = new UriBuilder
{
Scheme = "http",
Host = ManagedServiceHostName,
Port = ManagedServicePort,
Path = "/oauth2/token"
};

//ManagedServiceHostName/ManagedServicePort/ManagedServiceSecret are obsolete, should be removed in next major release
if (this.IsBound(nameof(ManagedServiceHostName)) || this.IsBound(nameof(ManagedServicePort)) || this.IsBound(nameof(ManagedServiceSecret)))
{
WriteWarning(Resources.ObsoleteManagedServiceParameters);
}

var envSecret = System.Environment.GetEnvironmentVariable(MSISecretVariable);

var msiSecret = this.IsBound(nameof(ManagedServiceSecret))
? ManagedServiceSecret.ConvertToString()
: envSecret;

var envUri = System.Environment.GetEnvironmentVariable(MSIEndpointVariable);

var suppliedUri = this.IsBound(nameof(ManagedServiceHostName))
? builder.Uri.ToString()
: envUri;

if (!this.IsBound(nameof(ManagedServiceHostName)) && !string.IsNullOrWhiteSpace(envUri)
&& !this.IsBound(nameof(ManagedServiceSecret)) && !string.IsNullOrWhiteSpace(envSecret))
{
// set flag indicating this is AppService Managed Identity ad hoc mode
azureAccount.SetProperty(AuthenticationFactory.AppServiceManagedIdentityFlag, "the value not used");
}

if (!string.IsNullOrWhiteSpace(msiSecret))
{
azureAccount.SetProperty(AzureAccount.Property.MSILoginSecret, msiSecret);
}

if (!string.IsNullOrWhiteSpace(suppliedUri))
{
azureAccount.SetProperty(AzureAccount.Property.MSILoginUri, suppliedUri);
}
else
{
azureAccount.SetProperty(AzureAccount.Property.MSILoginUriBackup, builder.Uri.ToString());
azureAccount.SetProperty(AzureAccount.Property.MSILoginUri, AuthenticationFactory.DefaultMSILoginUri);
}

azureAccount.Id = this.IsBound(nameof(AccountId)) ? AccountId : string.Format(Constants.DefaultMsiAccountIdPrefix + "{0}", ManagedServicePort);
azureAccount.Id = this.IsBound(nameof(AccountId)) ? AccountId : $"{Constants.DefaultMsiAccountIdPrefix}{DefaultManagedServicePort}";
break;
default:
//Support username + password for both Windows PowerShell and PowerShell 6+
Expand Down
3 changes: 2 additions & 1 deletion src/Accounts/Accounts/ChangeLog.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@
-->

## Upcoming Release
* Customized display format of PSAzureRmAccount to hide secret of service principal [#14208]
* Removed obsolete parameters `ManagedServiceHostName`, `ManagedServicePort` and `ManagedServiceSecret` of cmdlet `Connect-AzAccount`, environment variables `MSI_ENDPOINT` and `MSI_SECRET` could be used instead
* Customize display format of PSAzureRmAccount to hide secret of service principal [#14208]
* Added optional parameter `AuthScope` to `Connect-AzAccount` to support enhanced authentication of data plane features

## Version 2.2.8
Expand Down
48 changes: 0 additions & 48 deletions src/Accounts/Accounts/help/Connect-AzAccount.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -445,54 +445,6 @@ Accept pipeline input: False
Accept wildcard characters: False
```

### -ManagedServiceHostName

Obsolete. To use customized MSI endpoint, please set environment variable MSI_ENDPOINT, e.g. "http://localhost:50342/oauth2/token". Host name for the managed service.

```yaml
Type: System.String
Parameter Sets: ManagedServiceLogin
Aliases:
Required: False
Position: Named
Default value: localhost
Accept pipeline input: False
Accept wildcard characters: False
```

### -ManagedServicePort

Obsolete. To use customized MSI endpoint, please set environment variable MSI_ENDPOINT, e.g. "http://localhost:50342/oauth2/token".Port number for the managed service.

```yaml
Type: System.Int32
Parameter Sets: ManagedServiceLogin
Aliases:
Required: False
Position: Named
Default value: 50342
Accept pipeline input: False
Accept wildcard characters: False
```

### -ManagedServiceSecret

Obsolete. To use customized MSI secret, please set environment variable MSI_SECRET. Token for the managed service login.

```yaml
Type: System.Security.SecureString
Parameter Sets: ManagedServiceLogin
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```

### -MaxContextPopulation

Max subscription number to populate contexts after login. Default is 25. To populate all subscriptions to contexts, set to -1.
Expand Down
164 changes: 0 additions & 164 deletions src/Accounts/Authentication.Test/AuthenticationFactoryTests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -412,170 +412,6 @@ void VerifyToken(IAccessToken checkToken, string expectedAccessToken, string exp
});
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
public void AppServiceManagedIdentity()
{
AzureSessionInitializer.InitializeAzureSession();
var tenant = Guid.NewGuid().ToString();
var userId = "MSI@2";
var environment = AzureEnvironment.PublicEnvironments["AzureCloud"];
var account = new AzureAccount
{
Id = userId,
Type = AzureAccount.AccountType.ManagedService
};
const string resource = @"https://management.azure.com/";
const string endpoint = @"http://127.0.0.1:41217/MSI/token/";
var expectedUri = $"{endpoint}?resource={resource}&api-version=2017-09-01";
account.SetProperty(AzureAccount.Property.MSILoginUri , endpoint);
account.SetProperty(AzureAccount.Property.MSILoginSecret , @"bar");
const string expectedAccessToken = "foo";
var expectedExpiresOn = DateTimeOffset.Parse("1/23/2019 7:15:42 AM +00:00");
var responses = new Dictionary<string, ManagedServiceAppServiceTokenInfo>(StringComparer.OrdinalIgnoreCase)
{
{
expectedUri,
new ManagedServiceAppServiceTokenInfo()
{
AccessToken = expectedAccessToken,
ExpiresOn = expectedExpiresOn,
Resource = resource,
TokenType = "Bearer",
}
}
};
AzureSession.Instance.RegisterComponent(HttpClientOperationsFactory.Name, () => TestHttpOperationsFactory.Create(responses, _output), true);
var msat = new ManagedServiceAppServiceAccessToken(account, environment, tenant);
Assert.Equal(expectedUri, msat.RequestUris.Peek());
var accessToken = msat.AccessToken;
Assert.Equal(expectedAccessToken, accessToken);
Assert.Equal(expectedExpiresOn, msat.ExpiresOn);
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
public void AppServiceUserManagedIdentityWithDataPlane()
{
AzureSessionInitializer.InitializeAzureSession();
var tenant = Guid.NewGuid().ToString();
var userId = Guid.NewGuid().ToString();
var environment = AzureEnvironment.PublicEnvironments["AzureCloud"];
var account = new AzureAccount
{
Id = userId,
Type = AzureAccount.AccountType.ManagedService
};
const string resource = @"https://vault.azure.com/";
const string endpoint = @"http://127.0.0.1:41217/MSI/token/";
var expectedUri = $"{endpoint}?resource={resource}&api-version=2017-09-01&clientid={userId}";
account.SetProperty(AzureAccount.Property.MSILoginUri, endpoint);
account.SetProperty(AzureAccount.Property.MSILoginSecret, @"bar");
const string expectedAccessToken = "foo";
var expectedExpiresOn = DateTimeOffset.Parse("1/23/2019 7:15:42 AM +00:00");
var responses = new Dictionary<string, ManagedServiceAppServiceTokenInfo>(StringComparer.OrdinalIgnoreCase)
{
{
expectedUri,
new ManagedServiceAppServiceTokenInfo()
{
AccessToken = expectedAccessToken,
ExpiresOn = expectedExpiresOn,
Resource = resource,
TokenType = "Bearer",
}
}
};
AzureSession.Instance.RegisterComponent(HttpClientOperationsFactory.Name, () => TestHttpOperationsFactory.Create(responses, _output), true);
var msat = new ManagedServiceAppServiceAccessToken(account, environment, environment.GetEndpoint(resource) ?? resource, tenant);
Assert.Equal(expectedUri, msat.RequestUris.Peek());
var accessToken = msat.AccessToken;
Assert.Equal(expectedAccessToken, accessToken);
Assert.Equal(expectedExpiresOn, msat.ExpiresOn);
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
public void AppServiceManagedIdentityWithDataPlane()
{
AzureSessionInitializer.InitializeAzureSession();
var tenant = Guid.NewGuid().ToString();
var userId = "MSI@2";
var environment = AzureEnvironment.PublicEnvironments["AzureCloud"];
var account = new AzureAccount
{
Id = userId,
Type = AzureAccount.AccountType.ManagedService
};
const string resource = @"https://vault.azure.com/";
const string endpoint = @"http://127.0.0.1:41217/MSI/token/";
var expectedUri = $"{endpoint}?resource={resource}&api-version=2017-09-01";
account.SetProperty(AzureAccount.Property.MSILoginUri, endpoint);
account.SetProperty(AzureAccount.Property.MSILoginSecret, @"bar");
const string expectedAccessToken = "foo";
var expectedExpiresOn = DateTimeOffset.Parse("1/23/2019 7:15:42 AM +00:00");
var responses = new Dictionary<string, ManagedServiceAppServiceTokenInfo>(StringComparer.OrdinalIgnoreCase)
{
{
expectedUri,
new ManagedServiceAppServiceTokenInfo()
{
AccessToken = expectedAccessToken,
ExpiresOn = expectedExpiresOn,
Resource = resource,
TokenType = "Bearer",
}
}
};
AzureSession.Instance.RegisterComponent(HttpClientOperationsFactory.Name, () => TestHttpOperationsFactory.Create(responses, _output), true);
var msat = new ManagedServiceAppServiceAccessToken(account, environment, environment.GetEndpoint(resource) ?? resource, tenant);
Assert.Equal(expectedUri, msat.RequestUris.Peek());
var accessToken = msat.AccessToken;
Assert.Equal(expectedAccessToken, accessToken);
Assert.Equal(expectedExpiresOn, msat.ExpiresOn);
}

[Fact]
[Trait(Category.AcceptanceType, Category.CheckIn)]
public void AppServiceManagedIdentityWithServiceManagement()
{
AzureSessionInitializer.InitializeAzureSession();
var tenant = Guid.NewGuid().ToString();
var userId = "MSI@2";
var environment = AzureEnvironment.PublicEnvironments["AzureCloud"];
var account = new AzureAccount
{
Id = userId,
Type = AzureAccount.AccountType.ManagedService
};
const string resource = @"https://management.azure.com/";
const string serviceManagementResource = @"https://management.core.windows.net/";
const string endpoint = @"http://127.0.0.1:41217/MSI/token/";
var expectedUri = $"{endpoint}?resource={resource}&api-version=2017-09-01";
account.SetProperty(AzureAccount.Property.MSILoginUri, endpoint);
account.SetProperty(AzureAccount.Property.MSILoginSecret, @"bar");
const string expectedAccessToken = "foo";
var expectedExpiresOn = DateTimeOffset.Parse("1/23/2019 7:15:42 AM +00:00");
var responses = new Dictionary<string, ManagedServiceAppServiceTokenInfo>(StringComparer.OrdinalIgnoreCase)
{
{
expectedUri,
new ManagedServiceAppServiceTokenInfo()
{
AccessToken = expectedAccessToken,
ExpiresOn = expectedExpiresOn,
Resource = resource,
TokenType = "Bearer",
}
}
};
AzureSession.Instance.RegisterComponent(HttpClientOperationsFactory.Name, () => TestHttpOperationsFactory.Create(responses, _output), true);
var msat = new ManagedServiceAppServiceAccessToken(account, environment, GetFunctionsResourceId(serviceManagementResource, environment), tenant);
Assert.Equal(expectedUri, msat.RequestUris.Peek());
var accessToken = msat.AccessToken;
Assert.Equal(expectedAccessToken, accessToken);
Assert.Equal(expectedExpiresOn, msat.ExpiresOn);
}
private string GetFunctionsResourceId(string resourceIdOrEndpointName, IAzureEnvironment environment)
{
var resourceId = environment.GetEndpoint(resourceIdOrEndpointName) ?? resourceIdOrEndpointName;
Expand Down
36 changes: 0 additions & 36 deletions src/Accounts/Authentication/Authentication/ManagedServiceAccessToken.cs
View file

This file was deleted.

Loading

0 comments on commit da02fe9

Please sign in to comment.