Add environment variable and fallback support for MSI

Author: markcowl

src/Common/Commands.Common.Authentication.Abstractions/AzureAccount.cs

@@ -128,9 +128,13 @@ public static class Property
         /// <summary>
         /// Backup login Uri for MSI
         /// </summary>
-        MSILoginUriBackup = "MSILoginBackup";
+        MSILoginUriBackup = "MSILoginBackup",
 
 
+        /// <summary>
+        /// Secret that may be used with MSI login
+        /// </summary>
+        MSILoginSecret = "MSILoginSecret";
         }
     }
 }

src/Common/Commands.Common.Authentication/Authentication/ManagedServiceAccessToken.cs

@@ -17,6 +17,7 @@
 using Microsoft.Rest.Azure;
 using System;
 using System.Collections.Generic;
+using System.Net.Http;
 using System.Text;
 using System.Threading;
 
@@ -72,6 +73,10 @@ public ManagedServiceAccessToken(IAzureAccount account, IAzureEnvironment enviro
             }
 
             _tokenGetter = factory.GetHttpOperations<ManagedServiceTokenInfo>(true).WithHeader("Metadata", new[] { "true" });
+            if (account.IsPropertySet(AzureAccount.Property.MSILoginSecret))
+            {
+                _tokenGetter = _tokenGetter.WithHeader("Secret", new[] { account.GetProperty(AzureAccount.Property.MSILoginSecret) });
+            }
         }
 
         public string AccessToken
@@ -119,11 +124,12 @@ void GetOrRenewAuthentication()
                         RequestUris.Clear();
                         RequestUris.Enqueue(currentRequestUri);
                     }
-                    catch (CloudException) when (RequestUris.Count > 0)
+                    catch (Exception e) when ( (e is CloudException || e is HttpRequestException) && RequestUris.Count > 0)
                     {
-                        // do nothing
+                        // skip to the next uri
                     }
                 }
+
                 SetToken(info);
             }
         }

src/Common/Commands.Common/Extensions/CmdletExtensions.cs

@@ -202,6 +202,18 @@ public static void SafeCopyParameterSet<T>(this T source, T target) where T : Az
             }
         }
 
+        /// <summary>
+        /// Return the value of a paramater, or null if not set
+        /// </summary>
+        /// <typeparam name="T"></typeparam>
+        /// <param name="cmdlet">the executing cmdlet</param>
+        /// <param name="parameterName">The name of the parameter to return</param>
+        /// <returns>true if the parameter was provided by the user, otherwise false</returns>
+        public static bool IsBound(this PSCmdlet cmdlet, string parameterName) 
+        {
+            return cmdlet.MyInvocation.BoundParameters.ContainsKey(parameterName);
+        }
+
         public static string AsAbsoluteLocation(this string realtivePath)
         {
             return Path.GetFullPath(Path.Combine(AppDomain.CurrentDomain.BaseDirectory, realtivePath));

src/ResourceManager/Profile/Commands.Profile/Account/ConnectAzureRmAccount.cs

@@ -24,6 +24,7 @@
 using Microsoft.Azure.Commands.Profile.Properties;
 using Microsoft.Azure.Commands.Profile.Common;
 using Microsoft.Azure.Commands.Common.Authentication.Factories;
+using Microsoft.WindowsAzure.Commands.Common;
 
 namespace Microsoft.Azure.Commands.Profile
 {
@@ -40,6 +41,8 @@ public class ConnectAzureRmAccountCommand : AzureContextModificationCmdlet, IMod
         public const string ServicePrincipalCertificateParameterSet= "ServicePrincipalCertificateWithSubscriptionId";
         public const string AccessTokenParameterSet = "AccessTokenWithSubscriptionId";
         public const string ManagedServiceParameterSet = "ManagedServiceLogin";
+        public const string MSIEndpointVariable = "MSI_ENDPOINT";
+        public const string MSISecretVariable = "MSI_SECRET";
 
         protected IAzureEnvironment _environment =AzureEnvironment.PublicEnvironments[EnvironmentName.AzureCloud];
 
@@ -116,7 +119,12 @@ public class ConnectAzureRmAccountCommand : AzureContextModificationCmdlet, IMod
         [Parameter(ParameterSetName = ManagedServiceParameterSet, Mandatory = false, HelpMessage = "Host name for managed service login.")]
         [PSDefaultValue(Help = "localhost", Value = "localhost")]
         public string ManagedServiceHostName { get; set; } = "localhost";
-        
+
+        [Parameter(ParameterSetName = ManagedServiceParameterSet, Mandatory = false, HelpMessage = "Secret, used for some kinds of managed service login.")]
+        [ValidateNotNullOrEmpty]
+        public SecureString ManagedServiceSecret { get; set; }
+
+
         [Alias("SubscriptionName", "SubscriptionId")]
         [Parameter(ParameterSetName = UserParameterSet,
                     Mandatory = false, HelpMessage = "Subscription Name or ID", ValueFromPipeline = true)]
@@ -199,14 +207,36 @@ public override void ExecuteCmdlet()
                     break;
                 case ManagedServiceParameterSet:
                     azureAccount.Type = AzureAccount.AccountType.ManagedService;
-                    azureAccount.Id = MyInvocation.BoundParameters.ContainsKey(nameof(AccountId))? AccountId : string.Format("MSI@{0}", ManagedServicePort);
                     var builder = new UriBuilder();
                     builder.Scheme = "http";
                     builder.Host = ManagedServiceHostName;
                     builder.Port = ManagedServicePort;
                     builder.Path = "/oauth2/token";
-                    azureAccount.SetProperty(AzureAccount.Property.MSILoginUriBackup, builder.Uri.ToString());
-                    azureAccount.SetProperty(AzureAccount.Property.MSILoginUri, AuthenticationFactory.DefaultMSILoginUri);
+
+                    string msiSecret = this.IsBound(nameof(ManagedServiceSecret)) 
+                        ? ManagedServiceSecret.ConvertToString() 
+                        : System.Environment.GetEnvironmentVariable(MSISecretVariable);
+
+                    string suppliedUri = this.IsBound(nameof(ManagedServiceHostName))
+                        ? builder.Uri.ToString()
+                        : System.Environment.GetEnvironmentVariable(MSIEndpointVariable);
+
+                    if (!string.IsNullOrWhiteSpace(msiSecret))
+                    {
+                        azureAccount.SetProperty(AzureAccount.Property.MSILoginSecret, msiSecret);
+                    }
+                       
+                    if (!string.IsNullOrWhiteSpace(suppliedUri))
+                    {
+                        azureAccount.SetProperty(AzureAccount.Property.MSILoginUri, suppliedUri);
+                    }
+                    else
+                    {
+                        azureAccount.SetProperty(AzureAccount.Property.MSILoginUriBackup, builder.Uri.ToString());
+                        azureAccount.SetProperty(AzureAccount.Property.MSILoginUri, AuthenticationFactory.DefaultMSILoginUri);
+                    }
+
+                    azureAccount.Id = this.IsBound(nameof(AccountId)) ? AccountId : string.Format("MSI@{0}", ManagedServicePort);
                     break;
                 default:
                     azureAccount.Type = AzureAccount.AccountType.User;