[Identity] Support SecureString output for Pwsh cred (#36653)

The `Az.Accounts` module for PowerShell will soon start outputting
token data as secure strings. This ensures that `AzurePowerShellCredential`
can handle this format.

Signed-off-by: Paul Van Eck <[email protected]>

Author: pvaneck

sdk/identity/azure-identity/CHANGELOG.md

@@ -10,6 +10,8 @@
 
 ### Other Changes
 
+- `AzurePowerShellCredential` now supports using secure strings when authenticating with PowerShell. ([#36653](https://github.com/Azure/azure-sdk-for-python/pull/36653))
+
 ## 1.18.0b1 (2024-07-16)
 
 - Fixed the issue that `SharedTokenCacheCredential` was not picklable.

sdk/identity/azure-identity/azure/identity/_credentials/azure_powershell.py

@@ -34,9 +34,24 @@
     exit
 }}
 
-$token = Get-AzAccessToken -ResourceUrl '{}'{}
+$params = @{{ 'ResourceUrl' = '{}'; 'WarningAction' = 'Ignore' }}
 
-Write-Output "`nazsdk%$($token.Token)%$($token.ExpiresOn.ToUnixTimeSeconds())`n"
+$tenantId = '{}'
+if ($tenantId.Length -gt 0) {{
+    $params['TenantId'] = $tenantId
+}}
+
+$useSecureString = $m.Version -ge [version]'2.17.0'
+if ($useSecureString) {{
+    $params['AsSecureString'] = $true
+}}
+
+$token = Get-AzAccessToken @params
+$tokenValue = $token.Token
+if ($useSecureString) {{
+    $tokenValue = $tokenValue | ConvertFrom-SecureString -AsPlainText
+}}
+Write-Output "`nazsdk%$($tokenValue)%$($token.ExpiresOn.ToUnixTimeSeconds())`n"
 """
 
 
@@ -182,10 +197,7 @@ def parse_token(output: str) -> AccessToken:
 
 
 def get_command_line(scopes: Tuple[str, ...], tenant_id: str) -> List[str]:
-    if tenant_id:
-        tenant_argument = " -TenantId " + tenant_id
-    else:
-        tenant_argument = ""
+    tenant_argument = tenant_id if tenant_id else ""
     resource = _scopes_to_resource(*scopes)
     script = SCRIPT.format(NO_AZ_ACCOUNT_MODULE, resource, tenant_argument)
     encoded_script = base64.b64encode(script.encode("utf-16-le")).decode()
@@ -212,4 +224,6 @@ def raise_for_error(return_code: int, stdout: str, stderr: str) -> None:
     if stderr:
         # stderr is too noisy to include with an exception but may be useful for debugging
         _LOGGER.debug('%s received an error from Azure PowerShell: "%s"', AzurePowerShellCredential.__name__, stderr)
-    raise CredentialUnavailableError(message="Failed to invoke PowerShell")
+    raise CredentialUnavailableError(
+        message="Failed to invoke PowerShell. Enable debug logging for additional information."
+    )

sdk/identity/azure-identity/tests/test_live_async.py

@@ -73,18 +73,21 @@ async def test_default_credential(live_service_principal):
 
 
 @pytest.mark.manual
+@pytest.mark.asyncio
 async def test_cli_credential():
     credential = AzureCliCredential()
     await get_token(credential)
 
 
 @pytest.mark.manual
+@pytest.mark.asyncio
 async def test_dev_cli_credential():
     credential = AzureDeveloperCliCredential()
     await get_token(credential)
 
 
 @pytest.mark.manual
+@pytest.mark.asyncio
 async def test_powershell_credential():
     credential = AzurePowerShellCredential()
     await get_token(credential)

sdk/identity/azure-identity/tests/test_powershell_credential.py

@@ -114,8 +114,8 @@ def test_get_token(stderr):
     assert match, "couldn't find encoded script in command line"
     encoded_script = match.groups()[0]
     decoded_script = base64.b64decode(encoded_script).decode("utf-16-le")
-    assert "TenantId" not in decoded_script
-    assert "Get-AzAccessToken -ResourceUrl '{}'".format(scope) in decoded_script
+    assert "tenantId = ''" in decoded_script
+    assert f"'ResourceUrl' = '{scope}'" in decoded_script
 
     assert Popen().communicate.call_count == 1
     args, kwargs = Popen().communicate.call_args
@@ -292,7 +292,7 @@ def Popen(args, **kwargs):
 
 def test_multitenant_authentication():
     first_token = "***"
-    second_tenant = "second-tenant"
+    second_tenant = "12345"
     second_token = first_token * 2
 
     def fake_Popen(command, **_):
@@ -301,11 +301,12 @@ def fake_Popen(command, **_):
         assert match, "couldn't find encoded script in command line"
         encoded_script = match.groups()[0]
         decoded_script = base64.b64decode(encoded_script).decode("utf-16-le")
-        match = re.search(r"Get-AzAccessToken -ResourceUrl '(\S+)'(?: -TenantId (\S+))?", decoded_script)
-        tenant = match.groups()[1]
+        match = re.search(r"\$tenantId\s*=\s*'([^']*)'", decoded_script)
+        assert match
+        tenant = match.group(1)
 
-        assert tenant is None or tenant == second_tenant, 'unexpected tenant "{}"'.format(tenant)
-        token = first_token if tenant is None else second_token
+        assert not tenant or tenant == second_tenant, 'unexpected tenant "{}"'.format(tenant)
+        token = first_token if not tenant else second_token
         stdout = "azsdk%{}%{}".format(token, int(time.time()) + 3600)
 
         communicate = Mock(return_value=(stdout, ""))
@@ -333,10 +334,11 @@ def fake_Popen(command, **_):
         assert match, "couldn't find encoded script in command line"
         encoded_script = match.groups()[0]
         decoded_script = base64.b64decode(encoded_script).decode("utf-16-le")
-        match = re.search(r"Get-AzAccessToken -ResourceUrl '(\S+)'(?: -TenantId (\S+))?", decoded_script)
-        tenant = match.groups()[1]
+        match = re.search(r"\$tenantId\s*=\s*'([^']*)'", decoded_script)
+        assert match
+        tenant = match.group(1)
 
-        assert tenant is None, "credential shouldn't accept an explicit tenant ID"
+        assert not tenant, "credential shouldn't accept an explicit tenant ID"
         stdout = "azsdk%{}%{}".format(expected_token, int(time.time()) + 3600)
 
         communicate = Mock(return_value=(stdout, ""))
@@ -348,5 +350,5 @@ def fake_Popen(command, **_):
         assert token.token == expected_token
 
         with patch.dict("os.environ", {EnvironmentVariables.AZURE_IDENTITY_DISABLE_MULTITENANTAUTH: "true"}):
-            token = credential.get_token("scope", tenant_id="some-tenant")
+            token = credential.get_token("scope", tenant_id="12345")
             assert token.token == expected_token

sdk/identity/azure-identity/tests/test_powershell_credential_async.py

@@ -104,8 +104,8 @@ async def test_get_token(stderr):
     assert match, "couldn't find encoded script in command line"
     encoded_script = match.groups()[0]
     decoded_script = base64.b64decode(encoded_script).decode("utf-16-le")
-    assert "TenantId" not in decoded_script
-    assert "Get-AzAccessToken -ResourceUrl '{}'".format(scope) in decoded_script
+    assert "tenantId = ''" in decoded_script
+    assert f"'ResourceUrl' = '{scope}'" in decoded_script
 
     assert mock_exec().result().communicate.call_count == 1
 
@@ -289,7 +289,7 @@ async def mock_exec(*args, **kwargs):
 
 async def test_multitenant_authentication():
     first_token = "***"
-    second_tenant = "second-tenant"
+    second_tenant = "12345"
     second_token = first_token * 2
 
     async def fake_exec(*args, **_):
@@ -299,11 +299,12 @@ async def fake_exec(*args, **_):
         assert match, "couldn't find encoded script in command line"
         encoded_script = match.groups()[0]
         decoded_script = base64.b64decode(encoded_script).decode("utf-16-le")
-        match = re.search(r"Get-AzAccessToken -ResourceUrl '(\S+)'(?: -TenantId (\S+))?", decoded_script)
-        tenant = match[2]
+        match = re.search(r"\$tenantId\s*=\s*'([^']*)'", decoded_script)
+        assert match
+        tenant = match.group(1)
 
-        assert tenant is None or tenant == second_tenant, 'unexpected tenant "{}"'.format(tenant)
-        token = first_token if tenant is None else second_token
+        assert not tenant or tenant == second_tenant, 'unexpected tenant "{}"'.format(tenant)
+        token = first_token if not tenant else second_token
         stdout = "azsdk%{}%{}".format(token, int(time.time()) + 3600)
 
         communicate = Mock(return_value=get_completed_future((stdout.encode(), b"")))
@@ -332,10 +333,11 @@ async def fake_exec(*args, **_):
         assert match, "couldn't find encoded script in command line"
         encoded_script = match.groups()[0]
         decoded_script = base64.b64decode(encoded_script).decode("utf-16-le")
-        match = re.search(r"Get-AzAccessToken -ResourceUrl '(\S+)'(?: -TenantId (\S+))?", decoded_script)
-        tenant = match[2]
+        match = re.search(r"\$tenantId\s*=\s*'([^']*)'", decoded_script)
+        assert match
+        tenant = match.group(1)
 
-        assert tenant is None, "credential shouldn't accept an explicit tenant ID"
+        assert not tenant, "credential shouldn't accept an explicit tenant ID"
         stdout = "azsdk%{}%{}".format(expected_token, int(time.time()) + 3600)
         communicate = Mock(return_value=get_completed_future((stdout.encode(), b"")))
         return Mock(communicate=communicate, returncode=0)
@@ -346,5 +348,5 @@ async def fake_exec(*args, **_):
         assert token.token == expected_token
 
         with patch.dict("os.environ", {EnvironmentVariables.AZURE_IDENTITY_DISABLE_MULTITENANTAUTH: "true"}):
-            token = await credential.get_token("scope", tenant_id="some-tenant")
+            token = await credential.get_token("scope", tenant_id="12345")
             assert token.token == expected_token