internal async Task TransientErrorRetryTest(MockMsi.MsiTestType testType)
{
// To simplify tests, mock as MSI App Services to skip Azure VM IDMS probe request by
Environment.SetEnvironmentVariable(Constants.MsiAppServiceEndpointEnv, Constants.MsiEndpoint);
Environment.SetEnvironmentVariable(Constants.MsiAppServiceHeaderEnv, Constants.ClientSecret);
MockMsi mockMsi = new MockMsi(testType);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(mockMsi);
MsiRetryHelper.WaitBeforeRetry = false;
// Get token, requests will fail several times before success
var authResult = await msiAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId).ConfigureAwait(false);
Validator.ValidateToken(authResult.AccessToken, msiAccessTokenProvider.PrincipalUsed, Constants.AppType, Constants.TenantId, Constants.TestAppId, expiresOn: authResult.ExpiresOn);
// Request for token again, subsequent requests will all fail
var exception = await Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => Task.Run(() => msiAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId)));
Assert.Contains(AzureServiceTokenProviderException.RetryFailure, exception.Message);
if (testType == MockMsi.MsiTestType.MsiUnresponsive)
{
Assert.Contains(AzureServiceTokenProviderException.MsiEndpointNotListening, exception.Message);
}
else
{
Assert.Contains(AzureServiceTokenProviderException.GenericErrorMessage, exception.Message);
Assert.Contains(testType.ToString(), exception.Message);
}
}
public void DiscoveryTestBothFail()
{
// Mock process manager is being asked to act like Azure CLI was NOT able to get the token.
MockProcessManager mockProcessManager = new MockProcessManager(MockProcessManager.MockProcessManagerRequestType.ProcessNotFound);
AzureCliAccessTokenProvider azureCliAccessTokenProvider = new AzureCliAccessTokenProvider(mockProcessManager);
// Mock MSI is being asked to act like MSI was able to get token.
MockMsi mockMsi = new MockMsi(MockMsi.MsiTestType.MsiAppServicesFailure);
HttpClient httpClient = new HttpClient(mockMsi);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(httpClient);
// AzureServiceTokenProvider is being asked to use two providers, and and both should fail to get token.
var providers = new List <NonInteractiveAzureServiceTokenProviderBase> {
azureCliAccessTokenProvider, msiAccessTokenProvider
};
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(providers);
var exception = Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => azureServiceTokenProvider.GetAccessTokenAsync(Constants.GraphResourceId, Constants.TenantId));
Assert.Contains(Constants.NoMethodWorkedToGetTokenError, exception.Result.Message);
// Mock process manager will fail, and so hit count will be 1.
Assert.Equal(1, mockProcessManager.HitCount);
// AzureCliAccessTokenProvider will fail, and so Msi handler will be hit next. So hit count is 1 here.
Assert.Equal(1, mockMsi.HitCount);
}
public async Task GetTokenUsingManagedIdentityAppServices(bool specifyUserAssignedManagedIdentity)
{
// Setup the environment variables that App Service MSI would setup.
Environment.SetEnvironmentVariable(Constants.MsiAppServiceEndpointEnv, Constants.MsiEndpoint);
Environment.SetEnvironmentVariable(Constants.MsiAppServiceHeaderEnv, Constants.ClientSecret);
string expectedAppId;
string managedIdentityArgument;
MockMsi.MsiTestType msiTestType;
// Determine arguments and expected values based whether user-assigned managed identity is used
if (specifyUserAssignedManagedIdentity)
{
managedIdentityArgument = Constants.TestUserAssignedManagedIdentityId;
msiTestType = MockMsi.MsiTestType.MsiUserAssignedIdentityAppServicesSuccess;
expectedAppId = Constants.TestUserAssignedManagedIdentityId;
}
else
{
managedIdentityArgument = null;
msiTestType = MockMsi.MsiTestType.MsiAppServicesSuccess;
expectedAppId = Constants.TestAppId;
}
// MockMsi is being asked to act like response from App Service MSI suceeded.
MockMsi mockMsi = new MockMsi(msiTestType);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(mockMsi, managedIdentityClientId: managedIdentityArgument);
// Get token. This confirms that the environment variables are being read.
var authResult = await msiAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId).ConfigureAwait(false);
Validator.ValidateToken(authResult.AccessToken, msiAccessTokenProvider.PrincipalUsed, Constants.AppType, Constants.TenantId, expectedAppId, expiresOn: authResult.ExpiresOn);
}
internal async Task MsiRetryTimeoutTest(bool isAppServices)
{
if (isAppServices)
{
// Mock as MSI App Services to skip Azure VM IDMS probe request
Environment.SetEnvironmentVariable(Constants.MsiAppServiceEndpointEnv, Constants.MsiEndpoint);
Environment.SetEnvironmentVariable(Constants.MsiAppServiceHeaderEnv, Constants.ClientSecret);
}
int timeoutInSeconds = (new Random()).Next(1, 4);
MockMsi mockMsi = new MockMsi(MockMsi.MsiTestType.MsiUnresponsive);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(mockMsi, retryTimeoutInSeconds: timeoutInSeconds);
// Do not use test hook to skip wait, test should timeout while waiting
MsiRetryHelper.WaitBeforeRetry = true;
Stopwatch timer = new Stopwatch();
timer.Start();
var exception = await Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => Task.Run(() => msiAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId)));
timer.Stop();
// validate correct error message and and that total elapsed time is (roughly) the retry timeout specified
Assert.Contains(MsiRetryHelper.RetryTimeoutError, exception.Message);
Assert.True(timer.Elapsed.TotalSeconds - timeoutInSeconds < 1.0);
}
public AddressBookContext(DbContextOptions <AddressBookContext> options, MsiAccessTokenProvider tokenProvider)
: base(options)
{
var connection = Database.GetDbConnection() as SqlConnection;
connection.AccessToken = tokenProvider.getAccessToken();
}
private async Task GetTokenUsingManagedIdentityAzureVm(bool specifyUserAssignedManagedIdentity)
{
string expectedAppId;
string managedIdentityArgument;
MockMsi.MsiTestType msiTestType;
// Determine arguments and expected values based whether user-assigned managed identity is used
if (specifyUserAssignedManagedIdentity)
{
managedIdentityArgument = Constants.TestUserAssignedManagedIdentityId;
msiTestType = MockMsi.MsiTestType.MsiUserAssignedIdentityAzureVmSuccess;
expectedAppId = Constants.TestUserAssignedManagedIdentityId;
}
else
{
managedIdentityArgument = null;
msiTestType = MockMsi.MsiTestType.MsiAzureVmSuccess;
expectedAppId = Constants.TestAppId;
}
// MockMsi is being asked to act like response from Azure VM MSI succeeded.
MockMsi mockMsi = new MockMsi(msiTestType);
HttpClient httpClient = new HttpClient(mockMsi);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(httpClient, managedIdentityArgument);
// Get token.
var authResult = await msiAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId).ConfigureAwait(false);
// Check if the principalused and type are as expected.
Validator.ValidateToken(authResult.AccessToken, msiAccessTokenProvider.PrincipalUsed, Constants.AppType, Constants.TenantId, expectedAppId, expiresOn: authResult.ExpiresOn);
}
public async Task DiscoveryTestFirstFail()
{
// Mock process manager is being asked to act like Azure CLI was NOT able to get the token.
MockProcessManager mockProcessManager = new MockProcessManager(MockProcessManager.MockProcessManagerRequestType.ProcessNotFound);
AzureCliAccessTokenProvider azureCliAccessTokenProvider = new AzureCliAccessTokenProvider(mockProcessManager);
// Mock MSI is being asked to act like MSI was able to get token.
MockMsi mockMsi = new MockMsi(MockMsi.MsiTestType.MsiAppServicesSuccess);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(mockMsi);
// set env vars so MsiAccessTokenProvider assumes App Service environment and not VM environment
Environment.SetEnvironmentVariable(Constants.MsiAppServiceEndpointEnv, Constants.MsiEndpoint);
Environment.SetEnvironmentVariable(Constants.MsiAppServiceHeaderEnv, Constants.ClientSecret);
// AzureServiceTokenProvider is being asked to use two providers, and return token from the first that succeeds.
var providers = new List <NonInteractiveAzureServiceTokenProviderBase> {
azureCliAccessTokenProvider, msiAccessTokenProvider
};
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(providers);
var token = await azureServiceTokenProvider.GetAccessTokenAsync(Constants.GraphResourceId, Constants.TenantId);
// Mock process manager will be hit first, and so hit count will be 1.
Assert.Equal(1, mockProcessManager.HitCount);
// AzureCliAccessTokenProvider will fail, and so Msi handler will be hit next. So hit count is 1 here.
Assert.Equal(1, mockMsi.HitCount);
// MsiAccessTokenProvider should succeed, and we should get a valid token.
Validator.ValidateToken(token, azureServiceTokenProvider.PrincipalUsed, Constants.AppType, Constants.TenantId, Constants.TestAppId);
}
private async Task AppServicesDifferentCultureTest()
{
var defaultCulture = Thread.CurrentThread.CurrentCulture;
try
{
// ensure thread culture is NOT using en-US culture (App Services MSI endpoint always uses en-US DateTime format)
Thread.CurrentThread.CurrentCulture = new CultureInfo("en-GB");
// Setup the environment variables that App Service MSI would setup.
Environment.SetEnvironmentVariable(Constants.MsiAppServiceEndpointEnv, Constants.MsiEndpoint);
Environment.SetEnvironmentVariable(Constants.MsiAppServiceHeaderEnv, Constants.ClientSecret);
// MockMsi is being asked to act like response from App Service MSI suceeded.
MockMsi mockMsi = new MockMsi(MockMsi.MsiTestType.MsiAppServicesSuccess);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(mockMsi);
// Get token.
var authResult = await msiAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId).ConfigureAwait(false);
// Check if the principalused and type are as expected.
Validator.ValidateToken(authResult.AccessToken, msiAccessTokenProvider.PrincipalUsed, Constants.AppType, Constants.TenantId, Constants.TestAppId, expiresOn: authResult.ExpiresOn);
}
finally
{
// revert back to default thread culture
Thread.CurrentThread.CurrentCulture = defaultCulture;
}
}
public async Task DiscoveryTestFirstSuccess()
{
// Mock process manager is being asked to act like Azure CLI was able to get the token.
MockProcessManager mockProcessManager = new MockProcessManager(MockProcessManager.MockProcessManagerRequestType.Success);
AzureCliAccessTokenProvider azureCliAccessTokenProvider = new AzureCliAccessTokenProvider(mockProcessManager);
// Mock MSI is being asked to act like MSI was able to get token.
MockMsi mockMsi = new MockMsi(MockMsi.MsiTestType.MsiAppServicesSuccess);
HttpClient httpClient = new HttpClient(mockMsi);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(httpClient);
// AzureServiceTokenProvider is being asked to use two providers, and return token from the first that succeeds.
var providers = new List <NonInteractiveAzureServiceTokenProviderBase> {
azureCliAccessTokenProvider, msiAccessTokenProvider
};
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(providers);
var token = await azureServiceTokenProvider.GetAccessTokenAsync(Constants.GraphResourceId, Constants.TenantId);
// Mock process manager will be hit first, and so the hit count should be 1.
Assert.Equal(1, mockProcessManager.HitCount);
// Msi handler will not be hit, since AzureCliAccessTokenProvider was able to return token. So this hit count should be 0.
Assert.Equal(0, mockMsi.HitCount);
Validator.ValidateToken(token, azureServiceTokenProvider.PrincipalUsed, Constants.UserType, Constants.TenantId);
}
public async Task DiscoveryTestFirstFail()
{
// Mock process manager is being asked to act like Azure CLI was NOT able to get the token.
MockProcessManager mockProcessManager = new MockProcessManager(MockProcessManager.MockProcessManagerRequestType.ProcessNotFound);
AzureCliAccessTokenProvider azureCliAccessTokenProvider = new AzureCliAccessTokenProvider(mockProcessManager);
// Mock MSI is being asked to act like MSI was able to get token.
MockMsi mockMsi = new MockMsi(MockMsi.MsiTestType.MsiAzureVmSuccess);
HttpClient httpClient = new HttpClient(mockMsi);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(httpClient);
// AzureServiceTokenProvider is being asked to use two providers, and return token from the first that succeeds.
var providers = new List <NonInteractiveAzureServiceTokenProviderBase> {
azureCliAccessTokenProvider, msiAccessTokenProvider
};
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(providers);
var token = await azureServiceTokenProvider.GetAccessTokenAsync(Constants.GraphResourceId, Constants.TenantId);
// Mock process manager will be hit first, and so hit count will be 1.
Assert.Equal(1, mockProcessManager.HitCount);
// AzureCliAccessTokenProvider will fail, and so Msi handler will be hit next. So hit count is 2 here (1 for probe request, 1 for token request).
Assert.Equal(2, mockMsi.HitCount);
// MsiAccessTokenProvider should succeed, and we should get a valid token.
Validator.ValidateToken(token, azureServiceTokenProvider.PrincipalUsed, Constants.AppType, Constants.TenantId, Constants.TestAppId);
}
private async Task AzureVmImdsTimeoutTest()
{
MockMsi mockMsi = new MockMsi(MockMsi.MsiTestType.MsiAzureVmTimeout);
HttpClient httpClient = new HttpClient(mockMsi);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(httpClient);
var exception = await Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => Task.Run(() => msiAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId)));
Assert.Contains(AzureServiceTokenProviderException.MsiEndpointNotListening, exception.Message);
Assert.DoesNotContain(AzureServiceTokenProviderException.RetryFailure, exception.Message);
}
public async Task MsiResponseMissingTokenTest()
{
// MockMsi is being asked to act like response from Azure VM MSI failed.
MockMsi mockMsi = new MockMsi(MockMsi.MsiTestType.MsiMissingToken);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(mockMsi);
// Ensure exception is thrown when getting the token
var exception = await Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => msiAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId));
Assert.Contains(AzureServiceTokenProviderException.GenericErrorMessage, exception.Message);
Assert.Contains(Constants.CannotBeNullError, exception.ToString());
}
public async Task ParseErrorMsiGetTokenTest()
{
// MockMsi is being asked to act like response from Azure VM MSI suceeded.
MockMsi mockMsi = new MockMsi(MockMsi.MsiTestType.MsiAppJsonParseFailure);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(mockMsi);
// Ensure exception is thrown when getting the token
var exception = await Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => msiAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId));
Assert.Contains(Constants.TokenResponseFormatExceptionMessage, exception.ToString());
Assert.Contains(Constants.JsonParseErrorException, exception.ToString());
}
public async Task AzureVmImdsTimeoutTest()
{
Environment.SetEnvironmentVariable(Constants.MsiAppServiceEndpointEnv, null);
Environment.SetEnvironmentVariable(Constants.MsiAppServiceHeaderEnv, null);
MockMsi mockMsi = new MockMsi(MockMsi.MsiTestType.MsiAzureVmImdsTimeout);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(mockMsi);
var exception = await Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => Task.Run(() => msiAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId)));
Assert.Contains(AzureServiceTokenProviderException.MetadataEndpointNotListening, exception.Message);
Assert.DoesNotContain(AzureServiceTokenProviderException.RetryFailure, exception.Message);
}
public async Task IncorrectFormatTest()
{
// Setup the environment variables
Environment.SetEnvironmentVariable(Constants.MsiAppServiceEndpointEnv, Constants.MsiEndpoint);
Environment.SetEnvironmentVariable(Constants.MsiAppServiceHeaderEnv, Constants.ClientSecret);
MockMsi mockMsi = new MockMsi(MockMsi.MsiTestType.MsiAppServicesIncorrectRequest);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(mockMsi);
var exception = await Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => Task.Run(() => msiAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId)));
Assert.Contains(Constants.IncorrectFormatError, exception.Message);
Assert.Contains(HttpStatusCode.BadRequest.ToString(), exception.Message);
}
private async Task TransientErrorTest(MockMsi.MsiTestType testType)
{
MockMsi mockMsi = new MockMsi(testType);
HttpClient httpClient = new HttpClient(mockMsi);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(httpClient);
MsiRetryHelper.WaitBeforeRetry = false;
// Get token.
var authResult = await msiAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId).ConfigureAwait(false);
// Check if the principalused and type are as expected.
Validator.ValidateToken(authResult.AccessToken, msiAccessTokenProvider.PrincipalUsed, Constants.AppType, Constants.TenantId, Constants.TestAppId, expiresOn: authResult.ExpiresOn);
}
public async Task UnauthorizedTest()
{
// Setup the environment variables
Environment.SetEnvironmentVariable(Constants.MsiAppServiceEndpointEnv, Constants.MsiEndpoint);
Environment.SetEnvironmentVariable(Constants.MsiAppServiceHeaderEnv, Constants.ClientSecret);
// MockMsi is being asked to act like response from App Service MSI failed (unauthorized).
MockMsi mockMsi = new MockMsi(MockMsi.MsiTestType.MsiAppServicesUnauthorized);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(mockMsi);
var exception = await Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => Task.Run(() => msiAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId)));
Assert.Contains(Constants.IncorrectSecretError, exception.Message);
Assert.Contains(HttpStatusCode.Forbidden.ToString(), exception.Message);
}
public async Task ServiceFabricNet452Unsupported()
{
// Setup the environment variables that App Service MSI would setup.
Environment.SetEnvironmentVariable(Constants.MsiServiceFabricEndpointEnv, "https://10.0.0.4:2377/metadata/identity/oauth2/token");
Environment.SetEnvironmentVariable(Constants.MsiServiceFabricHeaderEnv, "f8c33594-3eea-46de-8888-d3d258f054e0");
Environment.SetEnvironmentVariable(Constants.MsiServiceFabricThumbprintEnv, "e9c25f41a4d8b430201b32918fb3a86d5325b69f");
Environment.SetEnvironmentVariable(Constants.MsiServiceFabricApiVersionEnv, "2020-05-01");
MockMsi mockMsi = new MockMsi(MockMsi.MsiTestType.MsiServiceFabricSuccess);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(mockMsi);
var exception = await Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => Task.Run(() => msiAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId)));
Assert.Contains("not supported", exception.Message);
}
public async Task HttpResponseExceptionTest()
{
// Setup the environment variables
Environment.SetEnvironmentVariable(Constants.MsiAppServiceEndpointEnv, Constants.MsiEndpoint);
Environment.SetEnvironmentVariable(Constants.MsiAppServiceHeaderEnv, Constants.ClientSecret);
MockMsi mockMsi = new MockMsi(MockMsi.MsiTestType.MsiAppServicesFailure);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(mockMsi);
// use test hook to expedite test
MsiRetryHelper.WaitBeforeRetry = false;
var exception = await Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => Task.Run(() => msiAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId)));
Assert.Contains(AzureServiceTokenProviderException.MsiEndpointNotListening, exception.Message);
}
public async Task HttpResponseExceptionTest()
{
// Setup the environment variables
Environment.SetEnvironmentVariable(Constants.MsiAppServiceEndpointEnv, Constants.MsiEndpoint);
Environment.SetEnvironmentVariable(Constants.MsiAppServiceSecretEnv, Constants.ClientSecret);
MockMsi mockMsi = new MockMsi(MockMsi.MsiTestType.MsiAppServicesFailure);
HttpClient httpClient = new HttpClient(mockMsi);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(httpClient);
var exception = await Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => Task.Run(() => msiAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId)));
// Delete the environment variables
Environment.SetEnvironmentVariable(Constants.MsiAppServiceEndpointEnv, null);
Environment.SetEnvironmentVariable(Constants.MsiAppServiceSecretEnv, null);
Assert.Contains(AzureServiceTokenProviderException.MsiEndpointNotListening, exception.Message);
}
public async Task GetTokenUsingMsiAppServices()
{
// Setup the environment variables that App Service MSI would setup.
Environment.SetEnvironmentVariable(Constants.MsiAppServiceEndpointEnv, Constants.MsiEndpoint);
Environment.SetEnvironmentVariable(Constants.MsiAppServiceSecretEnv, Constants.ClientSecret);
// MockMsi is being asked to act like response from App Service MSI suceeded.
MockMsi mockMsi = new MockMsi(MockMsi.MsiTestType.MsiAppServicesSuccess);
HttpClient httpClient = new HttpClient(mockMsi);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(httpClient);
// Get token. This confirms that the environment variables are being read.
var authResult = await msiAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId).ConfigureAwait(false);
// Delete the environment variables
Environment.SetEnvironmentVariable(Constants.MsiAppServiceEndpointEnv, null);
Environment.SetEnvironmentVariable(Constants.MsiAppServiceSecretEnv, null);
Validator.ValidateToken(authResult.AccessToken, msiAccessTokenProvider.PrincipalUsed, Constants.AppType, Constants.TenantId, Constants.TestAppId, expiresOn: authResult.ExpiresOn);
}
public void DiscoveryTestBothFail()
{
// Mock process manager is being asked to act like Azure CLI was NOT able to get the token.
MockProcessManager mockProcessManager = new MockProcessManager(MockProcessManager.MockProcessManagerRequestType.ProcessNotFound);
AzureCliAccessTokenProvider azureCliAccessTokenProvider = new AzureCliAccessTokenProvider(mockProcessManager);
// Mock MSI is being asked to act like MSI was NOT able to get token.
MockMsi mockMsi = new MockMsi(MockMsi.MsiTestType.MsiAppServicesFailure);
HttpClient httpClient = new HttpClient(mockMsi);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(httpClient);
// set env vars so MsiAccessTokenProvider assumes App Service environment and not VM environment
Environment.SetEnvironmentVariable(Constants.MsiAppServiceEndpointEnv, Constants.MsiEndpoint);
Environment.SetEnvironmentVariable(Constants.MsiAppServiceSecretEnv, Constants.ClientSecret);
// use test hook to expedite test
MsiRetryHelper.WaitBeforeRetry = false;
// AzureServiceTokenProvider is being asked to use two providers, and and both should fail to get token.
var providers = new List <NonInteractiveAzureServiceTokenProviderBase> {
azureCliAccessTokenProvider, msiAccessTokenProvider
};
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider(providers);
var exception = Assert.ThrowsAsync <AzureServiceTokenProviderException>(() => azureServiceTokenProvider.GetAccessTokenAsync(Constants.GraphResourceId, Constants.TenantId));
Assert.Contains(Constants.NoMethodWorkedToGetTokenError, exception.Result.Message);
// Mock process manager will fail, and so hit count will be 1.
Assert.Equal(1, mockProcessManager.HitCount);
// AzureCliAccessTokenProvider will fail, and so MSI handler will be hit next. MSI retry count is 5 so hit count is 5 here.
Assert.Equal(5, mockMsi.HitCount);
// Clean up environment variables
Environment.SetEnvironmentVariable(Constants.MsiAppServiceEndpointEnv, null);
Environment.SetEnvironmentVariable(Constants.MsiAppServiceSecretEnv, null);
}
public async Task GetTokenUsingManagedIdentityServiceFabric(bool specifyUserAssignedManagedIdentity)
{
// Setup the environment variables that App Service MSI would setup.
Environment.SetEnvironmentVariable(Constants.MsiServiceFabricEndpointEnv, "https://10.0.0.4:2377/metadata/identity/oauth2/token");
Environment.SetEnvironmentVariable(Constants.MsiServiceFabricHeaderEnv, "f8c33594-3eea-46de-8888-d3d258f054e0");
Environment.SetEnvironmentVariable(Constants.MsiServiceFabricThumbprintEnv, "e9c25f41a4d8b430201b32918fb3a86d5325b69f");
Environment.SetEnvironmentVariable(Constants.MsiServiceFabricApiVersionEnv, "2020-05-01");
string expectedAppId;
string managedIdentityArgument;
MockMsi.MsiTestType msiTestType;
// Determine arguments and expected values based whether user-assigned managed identity is used
// Service Fabric backend is IMDS, so responses will be similar to Azure VM responses
if (specifyUserAssignedManagedIdentity)
{
managedIdentityArgument = Constants.TestUserAssignedManagedIdentityId;
msiTestType = MockMsi.MsiTestType.MsiUserAssignedIdentityServiceFabricSuccess;
expectedAppId = Constants.TestUserAssignedManagedIdentityId;
}
else
{
managedIdentityArgument = null;
msiTestType = MockMsi.MsiTestType.MsiServiceFabricSuccess;
expectedAppId = Constants.TestAppId;
}
// MockMsi is being asked to act like response from App Service MSI suceeded.
MockMsi mockMsi = new MockMsi(msiTestType);
MsiAccessTokenProvider msiAccessTokenProvider = new MsiAccessTokenProvider(mockMsi, managedIdentityClientId: managedIdentityArgument);
// Get token. This confirms that the environment variables are being read.
var authResult = await msiAccessTokenProvider.GetAuthResultAsync(Constants.KeyVaultResourceId, Constants.TenantId).ConfigureAwait(false);
Validator.ValidateToken(authResult.AccessToken, msiAccessTokenProvider.PrincipalUsed, Constants.AppType, Constants.TenantId, expectedAppId, expiresOn: authResult.ExpiresOn);
}
