Merge pull request Azure#9887 from erich-wang/fix-user-msi

cormacpayne · web-flow · commit 7142936644ce · 2019-08-22T09:27:06.000-07:00
fix issue that user MSI doens't work in Azure Function
diff --git a/src/Accounts/Accounts/ChangeLog.md b/src/Accounts/Accounts/ChangeLog.md
@@ -19,6 +19,7 @@
 -->
 ## Upcoming Release
 * Fixed miscellaneous typos across module
+* Support user-assigned MSI in Azure Functiosn Authentication (#9479)
 
 ## Version 1.6.1
 * Update common code to use latest version of ClientRuntime
diff --git a/src/Accounts/Authentication.Test/AuthenticationFactoryTests.cs b/src/Accounts/Authentication.Test/AuthenticationFactoryTests.cs
@@ -365,11 +365,9 @@ public void AppServiceManagedIdentity()
         {
             AzureSessionInitializer.InitializeAzureSession();
             var tenant = Guid.NewGuid().ToString();
-            var userId = Guid.NewGuid().ToString();
             var environment = AzureEnvironment.PublicEnvironments["AzureCloud"];
             var account = new AzureAccount
             {
-                Id = userId,
                 Type = AzureAccount.AccountType.ManagedService
             };
             const string resource = @"https://management.azure.com/";
@@ -402,7 +400,7 @@ public void AppServiceManagedIdentity()
 
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
-        public void AppServiceManagedIdentityWithDataPlane()
+        public void AppServiceUserManagedIdentityWithDataPlane()
         {
             AzureSessionInitializer.InitializeAzureSession();
             var tenant = Guid.NewGuid().ToString();
@@ -415,6 +413,45 @@ public void AppServiceManagedIdentityWithDataPlane()
             };
             const string resource = @"https://vault.azure.com/";
             const string endpoint = @"http://127.0.0.1:41217/MSI/token/";
+            var expectedUri = $"{endpoint}?resource={resource}&api-version=2017-09-01&clientid={userId}";
+            account.SetProperty(AzureAccount.Property.MSILoginUri, endpoint);
+            account.SetProperty(AzureAccount.Property.MSILoginSecret, @"bar");
+            const string expectedAccessToken = "foo";
+            var expectedExpiresOn = DateTimeOffset.Parse("1/23/2019 7:15:42 AM +00:00");
+            var responses = new Dictionary<string, ManagedServiceAppServiceTokenInfo>(StringComparer.OrdinalIgnoreCase)
+            {
+                {
+                    expectedUri,
+                    new ManagedServiceAppServiceTokenInfo()
+                    {
+                        AccessToken = expectedAccessToken,
+                        ExpiresOn = expectedExpiresOn,
+                        Resource = resource,
+                        TokenType = "Bearer",
+                    }
+                }
+            };
+            AzureSession.Instance.RegisterComponent(HttpClientOperationsFactory.Name, () => TestHttpOperationsFactory.Create(responses, _output), true);
+            var msat = new ManagedServiceAppServiceAccessToken(account, environment, environment.GetEndpoint(resource) ?? resource, tenant);
+            Assert.Equal(expectedUri, msat.RequestUris.Peek());
+            var accessToken = msat.AccessToken;
+            Assert.Equal(expectedAccessToken, accessToken);
+            Assert.Equal(expectedExpiresOn, msat.ExpiresOn);
+        }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void AppServiceManagedIdentityWithDataPlane()
+        {
+            AzureSessionInitializer.InitializeAzureSession();
+            var tenant = Guid.NewGuid().ToString();
+            var environment = AzureEnvironment.PublicEnvironments["AzureCloud"];
+            var account = new AzureAccount
+            {
+                Type = AzureAccount.AccountType.ManagedService
+            };
+            const string resource = @"https://vault.azure.com/";
+            const string endpoint = @"http://127.0.0.1:41217/MSI/token/";
             var expectedUri = $"{endpoint}?resource={resource}&api-version=2017-09-01";
             account.SetProperty(AzureAccount.Property.MSILoginUri, endpoint);
             account.SetProperty(AzureAccount.Property.MSILoginSecret, @"bar");
@@ -447,11 +484,9 @@ public void AppServiceManagedIdentityWithServiceManagement()
         {
             AzureSessionInitializer.InitializeAzureSession();
             var tenant = Guid.NewGuid().ToString();
-            var userId = Guid.NewGuid().ToString();
             var environment = AzureEnvironment.PublicEnvironments["AzureCloud"];
             var account = new AzureAccount
             {
-                Id = userId,
                 Type = AzureAccount.AccountType.ManagedService
             };
             const string resource = @"https://management.azure.com/";
diff --git a/src/Accounts/Authentication/Authentication/ManagedServiceAccessTokenBase.cs b/src/Accounts/Authentication/Authentication/ManagedServiceAccessTokenBase.cs
@@ -34,7 +34,7 @@ public abstract class ManagedServiceAccessTokenBase<TManagedServiceTokenInfo> :
 
         protected ManagedServiceAccessTokenBase(IAzureAccount account, IAzureEnvironment environment, string resourceId, string tenant = "Common")
         {
-            if (string.IsNullOrEmpty(account?.Id) || !account.IsPropertySet(AzureAccount.Property.MSILoginUri))
+            if (!account.IsPropertySet(AzureAccount.Property.MSILoginUri))
             {
                 throw new ArgumentNullException(nameof(account));
             }
diff --git a/src/Accounts/Authentication/Authentication/ManagedServiceAppServiceAccessToken.cs b/src/Accounts/Authentication/Authentication/ManagedServiceAppServiceAccessToken.cs
@@ -13,7 +13,9 @@
 // ----------------------------------------------------------------------------------
 
 using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
+using System;
 using System.Collections.Generic;
+using System.Text;
 
 namespace Microsoft.Azure.Commands.Common.Authentication
 {
@@ -32,7 +34,14 @@ public ManagedServiceAppServiceAccessToken(IAzureAccount account, IAzureEnvironm
         protected override IEnumerable<string> BuildTokenUri(string baseUri, IAzureAccount account, IdentityType identityType,
             string resourceId)
         {
-            yield return $"{baseUri}?resource={resourceId}&api-version=2017-09-01";;
+            StringBuilder query = new StringBuilder($"{baseUri}?resource={resourceId}&api-version=2017-09-01");
+
+            if(identityType == IdentityType.ClientId || identityType == IdentityType.ObjectId)
+            {
+                query.Append($"&clientid={Uri.EscapeDataString(account.Id)}");
+            }
+
+            yield return query.ToString();
         }
 
         protected override void SetToken(ManagedServiceAppServiceTokenInfo infoWebApps)

Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ public abstract class ManagedServiceAccessTokenBase<TManagedServiceTokenInfo> :`
`34`	`34`
`35`	`35`	`protected ManagedServiceAccessTokenBase(IAzureAccount account, IAzureEnvironment environment, string resourceId, string tenant = "Common")`
`36`	`36`	`{`
`37`		`- if (string.IsNullOrEmpty(account?.Id) \|\| !account.IsPropertySet(AzureAccount.Property.MSILoginUri))`
	`37`	`+ if (!account.IsPropertySet(AzureAccount.Property.MSILoginUri))`
`38`	`38`	`{`
`39`	`39`	`throw new ArgumentNullException(nameof(account));`
`40`	`40`	`}`