public async Task VerifyMSIRequest()
{
var pingResponse = new MockResponse(400);
var response = new MockResponse(200);
var expectedToken = "mock-msi-access-token";
response.SetContent($"{{ \"access_token\": \"{expectedToken}\", \"expires_on\": 3600 }}");
var mockTransport = new MockTransport(pingResponse, response);
var options = new IdentityClientOptions()
{
Transport = mockTransport
};
var credential = new ManagedIdentityCredential(options: options);
AccessToken actualToken = await credential.GetTokenAsync(MockScopes.Default);
Assert.AreEqual(expectedToken, actualToken.Token);
MockRequest request = mockTransport.Requests[1];
string query = request.UriBuilder.Query;
Assert.IsTrue(query.Contains("api-version=2018-02-01"));
Assert.IsTrue(query.Contains($"resource={Uri.EscapeDataString(ScopeUtilities.ScopesToResource(MockScopes.Default))}"));
Assert.IsTrue(request.Headers.TryGetValue("Metadata", out string metadataValue));
Assert.AreEqual("true", metadataValue);
}
public async Task VerifyAppService2019RequestWithClientIdMockAsync()
{
using (new TestEnvVar("IDENTITY_ENDPOINT", "https://identity.endpoint/"))
using (new TestEnvVar("IDENTITY_HEADER", "mock-identity-header"))
{
var expectedToken = "mock-access-token";
var response = new MockResponse(200);
response.SetContent($"{{ \"access_token\": \"{expectedToken}\", \"expires_on\": \"3600\" }}");
var mockTransport = new MockTransport(response);
var options = new TokenCredentialOptions {
Transport = mockTransport
};
ManagedIdentityCredential credential = InstrumentClient(new ManagedIdentityCredential("mock-client-id", options));
AccessToken actualToken = await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default));
Assert.AreEqual(expectedToken, actualToken.Token);
MockRequest request = mockTransport.SingleRequest;
Assert.IsTrue(request.Uri.ToString().StartsWith(EnvironmentVariables.IdentityEndpoint));
string query = request.Uri.Query;
Assert.IsTrue(query.Contains("api-version=2019-08-01"));
Assert.IsTrue(query.Contains("client_id=mock-client-id"));
Assert.IsTrue(query.Contains($"resource={Uri.EscapeDataString(ScopeUtilities.ScopesToResource(MockScopes.Default))}"));
Assert.IsTrue(request.Headers.TryGetValue("X-IDENTITY-HEADER", out string identityHeader));
Assert.AreEqual(EnvironmentVariables.IdentityHeader, identityHeader);
}
}
public async Task VerifyCloudShellMsiRequestWithClientIdMockAsync()
{
using (new TestEnvVar("MSI_ENDPOINT", "https://mock.msi.endpoint/"))
using (new TestEnvVar("MSI_SECRET", null))
{
var response = new MockResponse(200);
var expectedToken = "mock-msi-access-token";
response.SetContent($"{{ \"access_token\": \"{expectedToken}\", \"expires_on\": {(DateTimeOffset.UtcNow + TimeSpan.FromSeconds(3600)).ToUnixTimeSeconds()} }}");
var mockTransport = new MockTransport(response);
var options = new AzureCredentialOptions()
{
Transport = mockTransport
};
ManagedIdentityClient client = InstrumentClient(new ManagedIdentityClient(options));
AccessToken actualToken = await client.AuthenticateAsync(MockScopes.Default, "mock-client-id");
Assert.AreEqual(expectedToken, actualToken.Token);
MockRequest request = mockTransport.Requests[0];
Assert.IsTrue(request.Uri.ToString().StartsWith("https://mock.msi.endpoint/"));
Assert.IsTrue(request.Content.TryComputeLength(out long contentLen));
var content = new byte[contentLen];
MemoryStream contentBuff = new MemoryStream(content);
request.Content.WriteTo(contentBuff, default);
string body = Encoding.UTF8.GetString(content);
Assert.IsTrue(body.Contains($"resource={Uri.EscapeDataString(ScopeUtilities.ScopesToResource(MockScopes.Default))}"));
Assert.IsTrue(body.Contains($"client_id=mock-client-id"));
Assert.IsTrue(request.Headers.TryGetValue("Metadata", out string actMetadata));
Assert.AreEqual("true", actMetadata);
}
}
public async Task VerifyImdsRequestWithClientIdMockAsync()
{
using (new TestEnvVar("MSI_ENDPOINT", null))
using (new TestEnvVar("MSI_SECRET", null))
{
var response = new MockResponse(200);
var expectedToken = "mock-msi-access-token";
response.SetContent($"{{ \"access_token\": \"{expectedToken}\", \"expires_on\": \"3600\" }}");
var mockTransport = new MockTransport(response);
var options = new TokenCredentialOptions()
{
Transport = mockTransport
};
var pipeline = CredentialPipeline.GetInstance(options);
var client = new MockManagedIdentityClient(pipeline, "mock-client-id")
{
ManagedIdentitySourceFactory = () => new ImdsManagedIdentitySource(pipeline.HttpPipeline, "mock-client-id")
};
ManagedIdentityCredential credential = InstrumentClient(new ManagedIdentityCredential(pipeline, client));
AccessToken actualToken = await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default));
Assert.AreEqual(expectedToken, actualToken.Token);
MockRequest request = mockTransport.Requests[0];
string query = request.Uri.Query;
Assert.IsTrue(query.Contains("api-version=2018-02-01"));
Assert.IsTrue(query.Contains($"resource={Uri.EscapeDataString(ScopeUtilities.ScopesToResource(MockScopes.Default))}"));
Assert.IsTrue(query.Contains($"client_id=mock-client-id"));
Assert.IsTrue(request.Headers.TryGetValue("Metadata", out string metadataValue));
Assert.AreEqual("true", metadataValue);
}
}
public async Task VerifyAppServiceMsiRequestWithClientIdMockAsync()
{
using (new TestEnvVar("MSI_ENDPOINT", "https://mock.msi.endpoint/"))
using (new TestEnvVar("MSI_SECRET", "mock-msi-secret"))
{
var response = new MockResponse(200);
var expectedToken = "mock-msi-access-token";
response.SetContent($"{{ \"access_token\": \"{expectedToken}\", \"expires_on\": \"{DateTimeOffset.UtcNow.ToString()}\" }}");
var mockTransport = new MockTransport(response);
var options = new AzureCredentialOptions()
{
Transport = mockTransport
};
ManagedIdentityClient client = InstrumentClient(new ManagedIdentityClient(options));
AccessToken actualToken = await client.AuthenticateAsync(MockScopes.Default, "mock-client-id");
Assert.AreEqual(expectedToken, actualToken.Token);
MockRequest request = mockTransport.Requests[0];
Assert.IsTrue(request.Uri.ToString().StartsWith("https://mock.msi.endpoint/"));
string query = request.Uri.Query;
Assert.IsTrue(query.Contains("api-version=2017-09-01"));
Assert.IsTrue(query.Contains($"resource={Uri.EscapeDataString(ScopeUtilities.ScopesToResource(MockScopes.Default))}"));
Assert.IsTrue(query.Contains($"client_id=mock-client-id"));
Assert.IsTrue(request.Headers.TryGetValue("secret", out string actSecretValue));
Assert.AreEqual("mock-msi-secret", actSecretValue);
}
}
public async Task VerifyImdsRequestWithClientIdMockAsync()
{
using (new TestEnvVar("MSI_ENDPOINT", null))
using (new TestEnvVar("MSI_SECRET", null))
{
var response = new MockResponse(200);
var expectedToken = "mock-msi-access-token";
response.SetContent($"{{ \"access_token\": \"{expectedToken}\", \"expires_on\": \"3600\" }}");
var mockTransport = new MockTransport(response, response);
var options = new AzureCredentialOptions()
{
Transport = mockTransport
};
ManagedIdentityClient client = InstrumentClient(new ManagedIdentityClient(options));
AccessToken actualToken = await client.AuthenticateAsync(MockScopes.Default, clientId : "mock-client-id");
Assert.AreEqual(expectedToken, actualToken.Token);
MockRequest request = mockTransport.Requests[mockTransport.Requests.Count - 1];
string query = request.Uri.Query;
Assert.IsTrue(query.Contains("api-version=2018-02-01"));
Assert.IsTrue(query.Contains($"resource={Uri.EscapeDataString(ScopeUtilities.ScopesToResource(MockScopes.Default))}"));
Assert.IsTrue(query.Contains($"client_id=mock-client-id"));
Assert.IsTrue(request.Headers.TryGetValue("Metadata", out string metadataValue));
Assert.AreEqual("true", metadataValue);
}
}