[Identity] Emit warning in EnvironmentCredential for user/pass (#40595)

If UsernamePasswordCredential environment variables are detected in
EnvironmentCredential, a warning noting its deprecation is emitted.

Signed-off-by: Paul Van Eck <[email protected]>

Author: pvaneck

sdk/identity/azure-identity/azure/identity/_credentials/environment.py

@@ -5,10 +5,12 @@
 import logging
 import os
 from typing import Optional, Union, Any, cast
+import warnings
 from azure.core.credentials import AccessToken, AccessTokenInfo, TokenRequestOptions, SupportsTokenInfo
 
 from .. import CredentialUnavailableError
 from .._constants import EnvironmentVariables
+from .._internal import within_dac
 from .._internal.decorators import log_get_token
 from .certificate import CertificateCredential
 from .client_secret import ClientSecretCredential
@@ -96,8 +98,16 @@ def __init__(self, **kwargs: Any) -> None:
                 username=os.environ[EnvironmentVariables.AZURE_USERNAME],
                 password=os.environ[EnvironmentVariables.AZURE_PASSWORD],
                 tenant_id=os.environ.get(EnvironmentVariables.AZURE_TENANT_ID),  # optional for username/password auth
+                _silence_deprecation_warning=True,  # avoid duplicate warning
                 **kwargs
             )
+            warnings.warn(
+                "Environment is configured to use username and password authentication. "
+                "This authentication method is deprecated, as it doesn't support multifactor authentication (MFA). "
+                "For more details, see https://aka.ms/azsdk/identity/mfa.",
+                DeprecationWarning,
+                stacklevel=3 if within_dac.get() else 2,
+            )
 
         if self._credential:
             _LOGGER.info("Environment is configured for %s", self._credential.__class__.__name__)

sdk/identity/azure-identity/azure/identity/_credentials/user_password.py

@@ -63,12 +63,16 @@ class UsernamePasswordCredential(InteractiveCredential):
     """
 
     def __init__(self, client_id: str, username: str, password: str, **kwargs: Any) -> None:
-        warnings.warn(
-            f"{self.__class__.__name__} is deprecated, as is it doesn't support multifactor "
-            "authentication (MFA). For more details, see https://aka.ms/azsdk/identity/mfa.",
-            category=DeprecationWarning,
-            stacklevel=2,
-        )
+        if not kwargs.pop("_silence_deprecation_warning", False):
+            # Only emit the deprecation warning if the credential was constructed directly and not via
+            # EnvironmentCredential since EnvironmentCredential will emit its own deprecation
+            # warning if it is used to create a UsernamePasswordCredential.
+            warnings.warn(
+                f"{self.__class__.__name__} is deprecated, as it doesn't support multifactor "
+                "authentication (MFA). For more details, see https://aka.ms/azsdk/identity/mfa.",
+                category=DeprecationWarning,
+                stacklevel=2,
+            )
         # The base class will accept an AuthenticationRecord, allowing this credential to authenticate silently the
         # first time it's asked for a token. However, we want to ensure this first authentication is not silent, to
         # validate the given password. This class therefore doesn't document the authentication_record argument, and we

sdk/identity/azure-identity/azure/identity/aio/_credentials/environment.py

@@ -21,8 +21,8 @@
 class EnvironmentCredential(AsyncContextManager):
     """A credential configured by environment variables.
 
-    This credential is capable of authenticating as a service principal using a client secret or a certificate, or as
-    a user with a username and password. Configuration is attempted in this order, using these environment variables:
+    This credential is capable of authenticating as a service principal using a client secret or a certificate.
+    Configuration is attempted in this order, using these environment variables:
 
     Service principal with secret:
       - **AZURE_TENANT_ID**: ID of the service principal's tenant. Also called its 'directory' ID.

sdk/identity/azure-identity/tests/test_environment_credential.py

@@ -175,3 +175,21 @@ def test_username_password_configuration():
     assert kwargs["password"] == password
     assert kwargs["tenant_id"] == tenant_id
     assert kwargs["foo"] == bar
+
+
+def test_username_password_deprecation_warning():
+    """the credential should pass expected values and any keyword arguments to its inner credential"""
+
+    client_id = "client-id"
+    username = "username"
+    password = "password"
+    environment = {
+        EnvironmentVariables.AZURE_CLIENT_ID: client_id,
+        EnvironmentVariables.AZURE_USERNAME: username,
+        EnvironmentVariables.AZURE_PASSWORD: password,
+    }
+
+    with mock.patch.dict("os.environ", environment, clear=True):
+        # the deprecation warning is only raised when the credential is used
+        with pytest.deprecated_call():
+            EnvironmentCredential()