public async Task GetSystemTokenLiveAsync()
{
var credential = new ManagedIdentityCredential();
AccessToken token = await credential.GetTokenAsync(new TokenRequestContext(new string[] { "https://management.azure.com//.default" }));
Assert.IsNotNull(token.Token);
}
private static async Task <string> GetTokenAsync(string instanceUri)
{
var managedIdentityCredential = new ManagedIdentityCredential(clientId);
var properScope = new Uri(instanceUri).GetComponents(UriComponents.SchemeAndServer, UriFormat.UriEscaped);
var acessToken = await managedIdentityCredential.GetTokenAsync(new TokenRequestContext(new[] { properScope }));
return(acessToken.Token);
}
public async Task ScopesHonoredAsync()
{
var credential = new ManagedIdentityCredential();
credential._client(new MockManagedIdentityClient());
AccessToken defaultScopeToken = await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default));
Assert.IsTrue(new MockToken(defaultScopeToken.Token).HasField("scopes", MockScopes.Default.ToString()));
}
static void Main(string[] args)
{
var credential = new ManagedIdentityCredential();
var token = await credential.GetTokenAsync(new string[] { "https://management.azure.com//.default" });
Console.WriteLine(token.Token);
Console.WriteLine(token.ExpiresOn);
}
public override Task <IAccessToken> Authenticate(AuthenticationParameters parameters, CancellationToken cancellationToken)
{
var msiParameters = parameters as ManagedServiceIdentityParameters;
var scopes = new[] { GetResourceId(msiParameters.ResourceId, msiParameters.Environment) };
var requestContext = new TokenRequestContext(scopes);
ManagedIdentityCredential identityCredential = new ManagedIdentityCredential();
var tokenTask = identityCredential.GetTokenAsync(requestContext);
return(MsalAccessToken.GetAccessTokenAsync(tokenTask, msiParameters.TenantId, msiParameters.Account.Id));
}
public async Task ScopesHonoredAsync()
{
var credential = new ManagedIdentityCredential()
{
Client = new MockIdentityClient()
};
string defaultScopeToken = await credential.GetTokenAsync(MockScopes.Default);
Assert.IsTrue(new MockToken(defaultScopeToken).HasField("scopes", MockScopes.Default.ToString()));
}
public async Task <DbConnection> GetConnectionAsync(
CancellationToken cancellationToken = default(CancellationToken))
{
var sqlConnection = new SqlConnection(_connectionString);
var credential = new ManagedIdentityCredential();
var accessToken =
(await credential.GetTokenAsync(
new TokenRequestContext(_authenticationTokenScopes),
cancellationToken)).Token;
sqlConnection.AccessToken = accessToken;
return(sqlConnection);
}
public async Task CancellationTokenHonoredAsync()
{
var credential = new ManagedIdentityCredential();
credential._client(new MockManagedIdentityClient());
var cancellation = new CancellationTokenSource();
ValueTask <AccessToken> getTokenComplete = credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default), cancellation.Token);
cancellation.Cancel();
Assert.ThrowsAsync <TaskCanceledException>(async() => await getTokenComplete, "failed to cancel GetToken call");
await Task.CompletedTask;
}
public async Task VerifyCloudShellMsiRequestWithClientIdMockAsync()
{
using (new TestEnvVar("MSI_ENDPOINT", "https://mock.msi.endpoint/"))
using (new TestEnvVar("MSI_SECRET", null))
{
var response = new MockResponse(200);
var expectedToken = "mock-msi-access-token";
response.SetContent($"{{ \"access_token\": \"{expectedToken}\", \"expires_on\": {(DateTimeOffset.UtcNow + TimeSpan.FromSeconds(3600)).ToUnixTimeSeconds()} }}");
var mockTransport = new MockTransport(response);
var options = new TokenCredentialOptions()
{
Transport = mockTransport
};
ManagedIdentityCredential client = InstrumentClient(new ManagedIdentityCredential("mock-client-id", options));
AccessToken actualToken = await client.GetTokenAsync(new TokenRequestContext(MockScopes.Default));
Assert.AreEqual(expectedToken, actualToken.Token);
MockRequest request = mockTransport.Requests[0];
Assert.IsTrue(request.Uri.ToString().StartsWith("https://mock.msi.endpoint/"));
Assert.IsTrue(request.Content.TryComputeLength(out long contentLen));
var content = new byte[contentLen];
MemoryStream contentBuff = new MemoryStream(content);
request.Content.WriteTo(contentBuff, default);
string body = Encoding.UTF8.GetString(content);
Assert.IsTrue(body.Contains($"resource={Uri.EscapeDataString(ScopeUtilities.ScopesToResource(MockScopes.Default))}"));
Assert.IsTrue(body.Contains($"client_id=mock-client-id"));
Assert.IsTrue(request.Headers.TryGetValue("Metadata", out string actMetadata));
Assert.AreEqual("true", actMetadata);
}
}
public static async Task <HttpResponseMessage> Run(
[HttpTrigger(AuthorizationLevel.Function, "get", Route = null)] HttpRequest req,
ILogger log)
{
log.LogInformation("Get Groups using Azure.Identity...");
#if DEBUG
log.LogInformation("Using client credentials");
X509Certificate2 cert = Certs.GetCertificateFromStore(Configuration.LocalDevCertName);
var credential = new ClientCertificateCredential(Configuration.LocalDevTenantId, Configuration.LocalDevAppId, cert);
#else
log.LogInformation("Using Managed identity credentials");
var credential = new ManagedIdentityCredential();
#endif
try
{
var accessTokenRequest = await credential.GetTokenAsync(
new TokenRequestContext(scopes : new string[] { "https://graph.microsoft.com/.default" }) { }
);
var accessToken = accessTokenRequest.Token;
//log.LogInformation(accessToken);
var httpClient = new HttpClient()
{
DefaultRequestHeaders =
{
Authorization = new AuthenticationHeaderValue("Bearer", accessToken)
}
};
var result = await httpClient.GetStringAsync("https://graph.microsoft.com/v1.0/groups");
return(new HttpResponseMessage(HttpStatusCode.OK)
{
Content = new StringContent(result, Encoding.UTF8, "application/json")
});
}
catch (AuthenticationFailedException ex)
{
log.LogError($"Authentication Failed. {ex.Message}");
return(null);
}
}
public async Task VerifyImdsRequestWithClientIdMockAsync()
{
using (new TestEnvVar("MSI_ENDPOINT", null))
using (new TestEnvVar("MSI_SECRET", null))
{
var response = new MockResponse(200);
var expectedToken = "mock-msi-access-token";
response.SetContent($"{{ \"access_token\": \"{expectedToken}\", \"expires_on\": \"3600\" }}");
var mockTransport = new MockTransport(response);
var options = new TokenCredentialOptions()
{
Transport = mockTransport
};
var pipeline = CredentialPipeline.GetInstance(options);
var client = new MockManagedIdentityClient(pipeline, "mock-client-id")
{
ManagedIdentitySourceFactory = () => new ImdsManagedIdentitySource(pipeline.HttpPipeline, "mock-client-id")
};
ManagedIdentityCredential credential = InstrumentClient(new ManagedIdentityCredential(pipeline, client));
AccessToken actualToken = await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default));
Assert.AreEqual(expectedToken, actualToken.Token);
MockRequest request = mockTransport.Requests[0];
string query = request.Uri.Query;
Assert.IsTrue(query.Contains("api-version=2018-02-01"));
Assert.IsTrue(query.Contains($"resource={Uri.EscapeDataString(ScopeUtilities.ScopesToResource(MockScopes.Default))}"));
Assert.IsTrue(query.Contains($"client_id=mock-client-id"));
Assert.IsTrue(request.Headers.TryGetValue("Metadata", out string metadataValue));
Assert.AreEqual("true", metadataValue);
}
}
public async Task CancellationTokenHonoredAsync()
{
var credential = new ManagedIdentityCredential()
{
Client = new MockIdentityClient()
};
var cancellation = new CancellationTokenSource();
ValueTask <string> getTokenComplete = credential.GetTokenAsync(MockScopes.Default, cancellation.Token);
cancellation.Cancel();
Assert.ThrowsAsync <TaskCanceledException>(async() => await getTokenComplete, "failed to cancel GetToken call");
await Task.CompletedTask;
}
public async Task VerifyAppServiceMsiRequestWithClientIdMockAsync()
{
using (new TestEnvVar("MSI_ENDPOINT", "https://mock.msi.endpoint/"))
using (new TestEnvVar("MSI_SECRET", "mock-msi-secret"))
{
var response = new MockResponse(200);
var expectedToken = "mock-msi-access-token";
response.SetContent($"{{ \"access_token\": \"{expectedToken}\", \"expires_on\": \"{DateTimeOffset.UtcNow.ToString()}\" }}");
var mockTransport = new MockTransport(response);
var options = new TokenCredentialOptions()
{
Transport = mockTransport
};
ManagedIdentityCredential credential = InstrumentClient(new ManagedIdentityCredential("mock-client-id", options));
AccessToken actualToken = await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default));
Assert.AreEqual(expectedToken, actualToken.Token);
MockRequest request = mockTransport.SingleRequest;
Assert.IsTrue(request.Uri.ToString().StartsWith("https://mock.msi.endpoint/"));
string query = request.Uri.Query;
Assert.IsTrue(query.Contains("api-version=2017-09-01"));
Assert.IsTrue(query.Contains($"resource={Uri.EscapeDataString(ScopeUtilities.ScopesToResource(MockScopes.Default))}"));
Assert.IsTrue(query.Contains($"clientid=mock-client-id"));
Assert.IsTrue(request.Headers.TryGetValue("secret", out string actSecretValue));
Assert.AreEqual("mock-msi-secret", actSecretValue);
}
}
public void VerifyImdsAvailableUserCanceledMockAsync()
{
using (new TestEnvVar("MSI_ENDPOINT", null))
using (new TestEnvVar("MSI_SECRET", null))
{
var mockTransport = new MockTransport(request => throw new OperationCanceledException("mock user canceled exception"));
var options = new TokenCredentialOptions()
{
Transport = mockTransport
};
ManagedIdentityCredential credential = InstrumentClient(new ManagedIdentityCredential("mock-client-id", options));
CancellationTokenSource cancellationSource = new CancellationTokenSource();
cancellationSource.Cancel();
Assert.CatchAsync <OperationCanceledException>(async() => await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default), cancellationSource.Token));
}
}
public async Task VerifyImdsRequestWithClientIdMockAsync()
{
using (new TestEnvVar("MSI_ENDPOINT", null))
using (new TestEnvVar("MSI_SECRET", null))
{
var response = new MockResponse(200);
var expectedToken = "mock-msi-access-token";
response.SetContent($"{{ \"access_token\": \"{expectedToken}\", \"expires_on\": \"3600\" }}");
var mockTransport = new MockTransport(response, response);
var options = new IdentityClientOptions()
{
Transport = mockTransport
};
var credential = new ManagedIdentityCredential(clientId: "mock-client-id", options: options);
AccessToken actualToken = await credential.GetTokenAsync(MockScopes.Default);
Assert.AreEqual(expectedToken, actualToken.Token);
MockRequest request = mockTransport.Requests[mockTransport.Requests.Count - 1];
string query = request.UriBuilder.Query;
Assert.IsTrue(query.Contains("api-version=2018-02-01"));
Assert.IsTrue(query.Contains($"resource={Uri.EscapeDataString(ScopeUtilities.ScopesToResource(MockScopes.Default))}"));
Assert.IsTrue(query.Contains($"client_id=mock-client-id"));
Assert.IsTrue(request.Headers.TryGetValue("Metadata", out string metadataValue));
Assert.AreEqual("true", metadataValue);
}
}
private bool GetManagedIdentity(string managedClientId)
{
bool retval = false;
try
{
ManagedIdentityCredential managedCredential = new ManagedIdentityCredential(managedClientId, new TokenCredentialOptions
{
Diagnostics =
{
ApplicationId = Constants.ApplicationName,
IsDistributedTracingEnabled = true,
IsLoggingContentEnabled = true,
IsLoggingEnabled = true,
LoggedHeaderNames =
{
"x-ms-request-id"
},
LoggedQueryParameters =
{
"api-version"
}
}
});
ManagedIdentityToken = managedCredential.GetTokenAsync(new TokenRequestContext(new string[1] {
$"{Constants.ManagementAzureCom}/.default"
})).Result;
retval = true;
}
catch (Exception e)
{
Log.Info($"exception:{e.Message}");
}
return(retval);
}
public async void Run([TimerTrigger("0 */5 * * * *")] TimerInfo myTimer, ILogger log)
{
string strQuery = "Resources | where tags['resize-Enable'] =~ 'True'";
var resizeUpList = new List <JObject>();
var resizeDownList = new List <JObject>();
string storageKeyName = "storageAccount";
string storageAppSetting = _configuration[storageKeyName];
log.LogInformation("Storage Account: " + storageAppSetting);
string queueKeyName = "storageQueue";
string queueAppSetting = _configuration[queueKeyName];
log.LogInformation("Storage Queue: " + queueAppSetting);
string debugKeyName = "debugMode";
string debugAppSetting = _configuration[debugKeyName];
log.LogInformation("Debug: " + debugAppSetting);
bool debugFlag = bool.Parse(debugAppSetting);
QueueClient messageQueue = getQueueClient(storageAppSetting, queueAppSetting);
ManagedIdentityCredential managedIdentityCredential = new ManagedIdentityCredential();
string[] scope = new string[] { "https://management.azure.com/.default" };
var accessToken = (await managedIdentityCredential.GetTokenAsync(new Azure.Core.TokenRequestContext(scope))).Token;
TokenCredentials serviceClientCreds = new TokenCredentials(accessToken);
ResourceGraphClient rgClient = new ResourceGraphClient(serviceClientCreds);
SubscriptionClient subscriptionClient = new SubscriptionClient(serviceClientCreds);
IEnumerable <SubscriptionModel> subscriptions = await subscriptionClient.Subscriptions.ListAsync();
var subscriptionIds = subscriptions
.Where(s => s.State == SubscriptionState.Enabled)
.Select(s => s.SubscriptionId)
.ToList();
QueryRequest request = new QueryRequest
{
Subscriptions = subscriptionIds,
Query = strQuery,
Options = new QueryRequestOptions(resultFormat: ResultFormat.ObjectArray)
};
var response = await rgClient.ResourcesAsync(request);
JArray resources = JArray.Parse(response.Data.ToString());
log.LogInformation("Current Time: " + DateTime.UtcNow.ToString("dddd htt"));
foreach (JObject resource in resources)
{
log.LogInformation("Target: " + resource["name"].ToString());
Hashtable times = new Hashtable()
{
{ "StartTime", resource["tags"]["resize-StartTime"].ToString() },
{ "EndTime", resource["tags"]["resize-EndTime"].ToString() }
};
foreach (string key in times.Keys)
{
log.LogInformation(string.Format("{0}: {1}", key, times[key]));
}
Regex rg = new Regex("saveState-.*");
if (resizeTime(times))
{
// log.LogInformation("Resize Time: YES");
if (resource["tags"].Children <JProperty>().Any(prop => rg.IsMatch(prop.Name.ToString())))
{
log.LogInformation(resource["name"].ToString() + " Already Scaled Down...");
}
else
{
log.LogInformation(resource["name"].ToString() + " Needs to be Scaled Down...");
resizeDownList.Add(resource);
}
}
else
{
// log.LogInformation("Resize Time: NO");
if (resource["tags"].Children <JProperty>().Any(prop => rg.IsMatch(prop.Name.ToString())))
{
log.LogInformation(resource["name"].ToString() + " Needs to be Scaled Up...");
resizeUpList.Add(resource);
}
else
{
log.LogInformation(resource["name"].ToString() + " Already Scaled Up...");
}
}
}
foreach (var item in resizeUpList)
{
log.LogInformation(item["name"].ToString() + " => up");
var messageData = new JObject();
messageData.Add(new JProperty("debug", debugFlag));
messageData.Add(new JProperty("direction", "up"));
messageData.Add(new JProperty("graphResults", item));
writeQueueMessage(messageData, messageQueue);
}
;
foreach (var item in resizeDownList)
{
log.LogInformation(item["name"].ToString() + " => down");
var messageData = new JObject();
messageData.Add(new JProperty("debug", debugFlag));
messageData.Add(new JProperty("direction", "down"));
messageData.Add(new JProperty("graphResults", item));
writeQueueMessage(messageData, messageQueue);
}
;
}
public void VerifyImdsUnavailableImmediateFailureMockAsync()
{
using (new TestEnvVar("MSI_ENDPOINT", null))
using (new TestEnvVar("MSI_SECRET", null))
{
var mockTransport = new MockTransport(request => throw new Exception("mock imds probe exception"));
var options = new TokenCredentialOptions()
{
Transport = mockTransport
};
ManagedIdentityCredential credential = InstrumentClient(new ManagedIdentityCredential("mock-client-id", options));
Assert.ThrowsAsync <CredentialUnavailableException>(async() => await credential.GetTokenAsync(new TokenRequestContext(MockScopes.Default)));
MockRequest request = mockTransport.Requests[0];
string query = request.Uri.Query;
Assert.IsTrue(query.Contains("api-version=2018-02-01"));
Assert.False(request.Headers.TryGetValue("Metadata", out string _));
}
}
protected override async Task <AccessToken> GetAccessTokenFromProviderAsync(CancellationToken cancellationToken)
{
var credential = new ManagedIdentityCredential();
return(await credential.GetTokenAsync(new TokenRequestContext(_authenticationTokenScopes), cancellationToken));
}