Merge branch 'dev' into dharshanb/brokerSupportLinux

Author: DharshanBJ

azure-pipelines.yml

@@ -0,0 +1,37 @@
+# Derived from the default YAML generated by Azure DevOps for a Python package
+# Create and test a Python package on multiple Python versions.
+# Add steps that analyze code, save the dist with the build record, publish to a PyPI-compatible index, and more:
+# https://docs.microsoft.com/azure/devops/pipelines/languages/python
+
+trigger:
+- dev
+- azure-pipelines
+
+pool:
+  vmImage: ubuntu-latest
+strategy:
+  matrix:
+    Python39:
+      python.version: '3.9'
+    Python310:
+      python.version: '3.10'
+    Python311:
+      python.version: '3.11'
+    Python312:
+      python.version: '3.12'
+
+steps:
+- task: UsePythonVersion@0
+  inputs:
+    versionSpec: '$(python.version)'
+  displayName: 'Use Python $(python.version)'
+
+- script: |
+    python -m pip install --upgrade pip
+    pip install -r requirements.txt
+  displayName: 'Install dependencies'
+
+- script: |
+    pip install pytest pytest-azurepipelines
+    pytest
+  displayName: 'pytest'

docker_run.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/bash
+
+# Error out if there is less than 1 argument
+if [ "$#" -lt 1 ]; then
+    echo "Usage: $0 <Python_image> [command]"
+    echo "Example: $0 python:3.14.0a2-slim bash"
+    exit 1
+fi
+
+# We will get a standard Python image from the input,
+# so that we don't need to hard code one in a Dockerfile
+IMAGE_NAME=$1
+
+echo "=== Starting $IMAGE_NAME (especially those which have no AppImage yet) ==="
+echo "After seeing the bash prompt, run the following to test:"
+echo "    apt update && apt install -y gcc libffi-dev  # Needed in Python 3.14.0a2-slim"
+echo "    pip install -e ."
+echo "    pytest --capture=no -s tests/chosen_test_file.py"
+docker run --rm -it \
+    --privileged \
+    -w /home -v $PWD:/home \
+    $IMAGE_NAME \
+    $2
+

msal/application.py

@@ -22,7 +22,7 @@
 
 
 # The __init__.py will import this. Not the other way around.
-__version__ = "1.31.0"  # When releasing, also check and bump our dependencies's versions if needed
+__version__ = "1.31.1"  # When releasing, also check and bump our dependencies's versions if needed
 
 logger = logging.getLogger(__name__)
 _AUTHORITY_TYPE_CLOUDSHELL = "CLOUDSHELL"

msal/managed_identity.py

@@ -134,23 +134,6 @@ class ManagedIdentityClient(object):
 
     It also provides token cache support.
 
-    .. admonition:: Special case when your local development wants to use a managed identity on Azure VM.
-
-        By setting the environment variable ``MSAL_MANAGED_IDENTITY_ENDPOINT``
-        you override the default identity URL used in MSAL's Azure VM managed identity
-        code path.
-
-        This is useful during local development where it may be desirable to
-        utilise the credentials assigned to an actual VM instance via SSH tunnelling.
-
-        For example, if you create your SSH tunnel this way (assuming your VM is on ``192.0.2.1``)::
-
-            ssh -L 8000:169.254.169.254:80 192.0.2.1
-
-        Then your code could run locally using::
-
-            env MSAL_MANAGED_IDENTITY_ENDPOINT=http://localhost:8000/metadata/identity/oauth2/token python your_script.py
-
     .. note::
 
         Cloud Shell support is NOT implemented in this class.
@@ -171,7 +154,7 @@ def __init__(
         self,
         managed_identity: Union[
             dict,
-            ManagedIdentity,  # Could use Type[ManagedIdentity] but it is deprecatred in Python 3.9+
+            ManagedIdentity,  # Could use Type[ManagedIdentity] but it is deprecated in Python 3.9+
             SystemAssignedManagedIdentity,
             UserAssignedManagedIdentity,
             ],
@@ -223,7 +206,7 @@ def __init__(
         you may use an environment variable (such as MY_MANAGED_IDENTITY_CONFIG)
         to store a json blob like
         ``{"ManagedIdentityIdType": "ClientId", "Id": "foo"}`` or
-        ``{"ManagedIdentityIdType": "SystemAssignedManagedIdentity", "Id": null})``.
+        ``{"ManagedIdentityIdType": "SystemAssigned", "Id": null}``.
         The following app can load managed identity configuration dynamically::
 
             import json, os, msal, requests
@@ -363,10 +346,12 @@ def _scope_to_resource(scope):  # This is an experimental reasonable-effort appr
 def _get_arc_endpoint():
     if "IDENTITY_ENDPOINT" in os.environ and "IMDS_ENDPOINT" in os.environ:
         return os.environ["IDENTITY_ENDPOINT"]
-    if (  # Defined in https://msazure.visualstudio.com/One/_wiki/wikis/One.wiki/233012/VM-Extension-Authoring-for-Arc?anchor=determining-which-endpoint-to-use
-        sys.platform == "linux" and os.path.exists("/var/opt/azcmagent/bin/himds")
+    if (  # Defined in https://eng.ms/docs/cloud-ai-platform/azure-core/azure-management-and-platforms/control-plane-bburns/hybrid-resource-provider/azure-arc-for-servers/specs/extension_authoring
+        sys.platform == "linux" and os.path.exists("/opt/azcmagent/bin/himds")
         or sys.platform == "win32" and os.path.exists(os.path.expandvars(
-            r"%ProgramFiles%\AzureConnectedMachineAgent\himds.exe"))
+            # Avoid Windows-only "%EnvVar%" syntax so that tests can be run on Linux
+            r"${ProgramFiles}\AzureConnectedMachineAgent\himds.exe"
+        ))
     ):
         return "http://localhost:40342/metadata/identity/oauth2/token"
 
@@ -463,7 +448,7 @@ def _obtain_token_on_azure_vm(http_client, managed_identity, resource):
         }
     _adjust_param(params, managed_identity)
     resp = http_client.get(
-        os.getenv('MSAL_MANAGED_IDENTITY_ENDPOINT', 'http://169.254.169.254/metadata/identity/oauth2/token'),
+        "http://169.254.169.254/metadata/identity/oauth2/token",
         params=params,
         headers={"Metadata": "true"},
         )
@@ -663,4 +648,3 @@ def _obtain_token_on_arc(http_client, endpoint, resource):
         "error": "invalid_request",
         "error_description": response.text,
         }
-

setup.cfg

@@ -52,7 +52,7 @@ install_requires =
     # And we will use the cryptography (X+3).0.0 as the upper bound,
     # based on their latest deprecation policy
     # https://cryptography.io/en/latest/api-stability/#deprecation
-    cryptography>=2.5,<46
+    cryptography>=2.5,<47
 
 
 [options.extras_require]

tests/test_mi.py

@@ -347,9 +347,23 @@ def test_machine_learning(self):
         "IDENTITY_ENDPOINT": "http://localhost",
         "IMDS_ENDPOINT": "http://localhost",
     })
-    def test_arc(self):
+    def test_arc_by_env_var(self):
         self.assertEqual(get_managed_identity_source(), AZURE_ARC)
 
+    @patch("msal.managed_identity.os.path.exists", return_value=True)
+    @patch("msal.managed_identity.sys.platform", new="linux")
+    def test_arc_by_file_existence_on_linux(self, mocked_exists):
+        self.assertEqual(get_managed_identity_source(), AZURE_ARC)
+        mocked_exists.assert_called_with("/opt/azcmagent/bin/himds")
+
+    @patch("msal.managed_identity.os.path.exists", return_value=True)
+    @patch("msal.managed_identity.sys.platform", new="win32")
+    @patch.dict(os.environ, {"ProgramFiles": "C:\Program Files"})
+    def test_arc_by_file_existence_on_windows(self, mocked_exists):
+        self.assertEqual(get_managed_identity_source(), AZURE_ARC)
+        mocked_exists.assert_called_with(
+            r"C:\Program Files\AzureConnectedMachineAgent\himds.exe")
+
     @patch.dict(os.environ, {
         "AZUREPS_HOST_ENVIRONMENT": "cloud-shell-foo",
     })