Error out on invalid ManagedIdentity dict

rayluo · rayluo · commit 0a756e96846c · 2024-09-05T22:08:56.000-07:00
diff --git a/msal/managed_identity.py b/msal/managed_identity.py
@@ -46,8 +46,9 @@ class ManagedIdentity(UserDict):
 
     @classmethod
     def is_managed_identity(cls, unknown):
-        return isinstance(unknown, ManagedIdentity) or (
-            isinstance(unknown, dict) and cls.ID_TYPE in unknown)
+        return (isinstance(unknown, ManagedIdentity)
+            or cls.is_system_assigned(unknown)
+            or cls.is_user_assigned(unknown))
 
     @classmethod
     def is_system_assigned(cls, unknown):
@@ -217,6 +218,9 @@ def __init__(
                 )
             token = client.acquire_token_for_client("resource")
         """
+        if not ManagedIdentity.is_managed_identity(managed_identity):
+            raise ManagedIdentityError(
+                f"Incorrect managed_identity: {managed_identity}")
         self._managed_identity = managed_identity
         self._http_client = _ThrottledHttpClient(
             # This class only throttles excess token acquisition requests.
diff --git a/tests/test_mi.py b/tests/test_mi.py
@@ -61,6 +61,14 @@ def setUp(self):
             http_client=requests.Session(),
             )
 
+    def test_error_out_on_invalid_input(self):
+        with self.assertRaises(ManagedIdentityError):
+            ManagedIdentityClient({"foo": "bar"}, http_client=requests.Session())
+        with self.assertRaises(ManagedIdentityError):
+            ManagedIdentityClient(
+                {"ManagedIdentityIdType": "undefined", "Id": "foo"},
+                http_client=requests.Session())
+
     def assertCacheStatus(self, app):
         cache = app._token_cache._cache
         self.assertEqual(1, len(cache.get("AccessToken", [])), "Should have 1 AT")
@@ -241,6 +249,9 @@ class ArcTestCase(ClientTestCase):
         "WWW-Authenticate": "Basic realm=/tmp/foo",
         })
 
+    def test_error_out_on_invalid_input(self, mocked_stat):
+        return super(ArcTestCase, self).test_error_out_on_invalid_input()
+
     def test_happy_path(self, mocked_stat):
         expires_in = 1234
         with patch.object(self.app._http_client, "get", side_effect=[
