bump azure-cli and azure-cli-core to 2.31.0 (#1557)

* bump azure-cli and azure-cli-core to 2.31.0 and all required dependencies * Update src/cli/onefuzz/cred_wrapper.py Co-authored-by: Joe Ranweiler <joe@lemma.co> * updating credential wrapper * Update src/cli/onefuzz/azure_identity_credential_adapter.py Co-authored-by: Joe Ranweiler <joe@lemma.co> * updating credential wrapper * . Co-authored-by: stas <statis@microsoft.com> Co-authored-by: Joe Ranweiler <joe@lemma.co>
2025-06-16 11:58:09 +00:00 · 2022-01-05 07:11:24 -08:00
parent 5515aa1819
commit c5421894c1
10 changed files with 115 additions and 34 deletions
--- a/src/cli/onefuzz/azure_identity_credential_adapter.py
+++ b/src/cli/onefuzz/azure_identity_credential_adapter.py
@ -0,0 +1,66 @@
+# ------------------------------------
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+# ------------------------------------
+
+# Adapt credentials from azure-identity to be compatible with SDK that needs msrestazure or azure.common.credentials
+# Need msrest >= 0.6.0
+# See also https://pypi.org/project/azure-identity/
+
+# Source: https://github.com/jongio/azidext/blob/8374293bd80648f764237ddfc5f5223e7e98472b/python/azure_identity_credential_adapter.py
+
+from typing import Any
+
+from azure.core.pipeline import PipelineContext, PipelineRequest
+from azure.core.pipeline.policies import BearerTokenCredentialPolicy
+from azure.core.pipeline.transport import HttpRequest
+from azure.identity import DefaultAzureCredential
+from msrest.authentication import BasicTokenAuthentication
+
+
+class AzureIdentityCredentialAdapter(BasicTokenAuthentication):
+    def __init__(
+        self,
+        credential: Any = None,
+        resource_id: Any = "https://management.azure.com/.default",
+        **kwargs: Any
+    ):
+        """Adapt any azure-identity credential to work with SDK that needs azure.common.credentials or msrestazure.
+
+        Default resource is ARM (syntax of endpoint v2)
+
+        :param credential: Any azure-identity credential (DefaultAzureCredential by default)
+        :param str resource_id: The scope to use to get the token (default ARM)
+        """
+        super(AzureIdentityCredentialAdapter, self).__init__({})
+        if credential is None:
+            credential = DefaultAzureCredential()
+        self._policy = BearerTokenCredentialPolicy(credential, resource_id, **kwargs)
+
+    def _make_request(self) -> Any:
+        return PipelineRequest(
+            HttpRequest(
+                "AzureIdentityCredentialAdapter",
+                # This URL is not actually used. We just create a phony request to get credentials using only public APIs.
+                # Use a standard Microsoft-controlled example URL anyway.
+                "https://contoso.com",
+            ),
+            PipelineContext(None),
+        )
+
+    def set_token(self) -> Any:
+        """Ask the azure-core BearerTokenCredentialPolicy policy to get a token.
+
+        Using the policy gives us for free the caching system of azure-core.
+        We could make this code simpler by using private method, but by definition
+        I can't assure they will be there forever, so mocking a fake call to the policy
+        to extract the token, using 100% public API."""
+        request = self._make_request()
+        self._policy.on_request(request)
+        # Read Authorization, and get the second part after Bearer
+        token = request.http_request.headers["Authorization"].split(" ", 1)[1]
+        self.token = {"access_token": token}
+
+    def signed_session(self, session: Any = None) -> Any:
+        self.set_token()
+        return super(AzureIdentityCredentialAdapter, self).signed_session(session)
--- a/src/cli/onefuzz/debug.py
+++ b/src/cli/onefuzz/debug.py
@ -15,13 +15,14 @@ from uuid import UUID
 import jmespath
 from azure.applicationinsights import ApplicationInsightsDataClient
 from azure.applicationinsights.models import QueryBody
-from azure.common.client_factory import get_azure_cli_credentials
+from azure.identity import AzureCliCredential
 from onefuzztypes.enums import ContainerType, TaskType
 from onefuzztypes.models import BlobRef, Job, NodeAssignment, Report, Task, TaskConfig
 from onefuzztypes.primitives import Container, Directory, PoolName

 from onefuzz.api import UUID_EXPANSION, Command, Onefuzz

+from .azure_identity_credential_adapter import AzureIdentityCredentialAdapter
 from .backend import wait
 from .rdp import rdp_connect
 from .ssh import ssh_connect
@ -455,8 +456,8 @@ class DebugLog(Command):
            raise Exception("instance does not have an insights_appid")
        if self._client is None:

-            creds, _ = get_azure_cli_credentials(
-                resource="https://api.applicationinsights.io"
+            creds = AzureIdentityCredentialAdapter(
+                AzureCliCredential(), resource_id="https://api.applicationinsights.io"
            )
            self._client = ApplicationInsightsDataClient(creds)

--- a/src/cli/requirements.txt
+++ b/src/cli/requirements.txt
@ -1,4 +1,4 @@
-msal~=1.14.0
+msal~=1.16.0
 requests~=2.25.1
 jmespath~=0.10.0
 semver~=2.13.0
@ -11,7 +11,8 @@ azure-storage-blob~=12.8
 azure-applicationinsights==0.1.0
 tenacity==8.0.1
 docstring_parser==0.8.1
-azure-cli-core==2.27.2
+azure-identity==1.7.1
+azure-cli-core==2.31.0
 # packaging is required but not specified by azure-cli-core
 packaging==20.9
 # urllib3[secure] needs to be specifically stated for azure-cli-core