Upgrade Azure.Identity to 1.10.3 and other dependencies (#23957)

* Release an Preview Az.Accounts for Updating Az.Identity to 1.10.3 (#23766) * Upgrade Azure.Identity to 1.10.0 Update Azure.Identity.Broker to 1.0.0-beta.5 Migrate Token Cache from Name without Suffix to Name with Suffix Set CAEenabled to true in TokenCredential Fix bugs Update Change Log Fix the issue that token cache cannot be migrated in Mac and Linux Integrate the Source Codes of Azure.Identity 1.10.0 to Enable CAE for Client Assertion Authencation * Try to fix Build Issue * Fix token acquisition error of Service Principal when upgrading Az.Accounts (#23841) #23831 * Polish change log * Address review comments
Azure · Jan 24, 2024 · 927fa79 · 927fa79
1 parent 1816872
commit 927fa79
Show file tree

Hide file tree

Showing 80 changed files with 5,089 additions and 208 deletions.
diff --git a/src/Accounts/Accounts/Account/ConnectAzureRmAccount.cs b/src/Accounts/Accounts/Account/ConnectAzureRmAccount.cs
@@ -678,6 +678,7 @@ public void OnImport()
 #endif
                 AzureSessionInitializer.InitializeAzureSession(WriteInitializationWarnings);
                 AzureSessionInitializer.MigrateAdalCache(AzureSession.Instance, GetAzureContextContainer, WriteInitializationWarnings);
+                AzureSessionInitializer.MigrateMsalCacheWithoutSuffix(AzureSession.Instance, WriteInitializationWarnings);
 #if DEBUG
                 if (!TestMockSupport.RunningMocked)
                 {

diff --git a/src/Accounts/Accounts/ChangeLog.md b/src/Accounts/Accounts/ChangeLog.md
@@ -19,6 +19,9 @@
 -->
 
 ## Upcoming Release
+* Upgraded Azure.Identity to 1.10.3 [#23018].
+  - Renamed token cache from `msal.cache` to `msal.cache.cae` or `masl.cache.nocae`.
+* Enabled Continue Access Evalution (CAE) for all Service Principals login methods.
 * Adjusted output format to be more user-friendly for `Get-AzContext/Tenant/Subscription` and `Invoke-AzRestMethod`
 * Fixed the multiple `x-ms-unique-id` values issue
 

diff --git a/src/Accounts/AssemblyLoading/ConditionalAssemblyProvider.cs b/src/Accounts/AssemblyLoading/ConditionalAssemblyProvider.cs
@@ -43,14 +43,14 @@ public static void Initialize(string rootPath, IConditionalAssemblyContext conte
                 // todo: consider moving the list to a standalone config file
                 #region AssemblyList
                 CreateAssembly("netcoreapp2.1", "Azure.Core", "1.35.0.0").WithPowerShellCore(),
-                CreateAssembly("netcoreapp2.1", "Microsoft.Identity.Client", "4.49.1.0").WithPowerShellCore(),
-                CreateAssembly("netcoreapp3.1", "Microsoft.Identity.Client.Extensions.Msal", "2.23.0.0").WithPowerShellCore(),
 
-                CreateAssembly("netstandard2.0", "Azure.Identity", "1.6.1.0"),
-                CreateAssembly("netstandard2.0", "Azure.Identity.BrokeredAuthentication", "1.0.0.0"),
+                CreateAssembly("netstandard2.0", "Azure.Identity", "1.10.3.0"),
+                CreateAssembly("netstandard2.0", "Azure.Identity.Broker", "1.0.0.0"),
                 CreateAssembly("netstandard2.0", "Microsoft.Bcl.AsyncInterfaces", "1.0.0.0"),
-                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.Broker", "4.49.1.0"),
-                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.NativeInterop", "0.13.3.0"),
+                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client", "4.56.0.0"),
+                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.Extensions.Msal", "4.56.0.0"),
+                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.Broker", "4.56.0.0"),
+                CreateAssembly("netstandard2.0", "Microsoft.Identity.Client.NativeInterop", "0.13.8.0"),
                 CreateAssembly("netstandard2.0", "Microsoft.IdentityModel.Abstractions", "6.22.1.0"),
                 CreateAssembly("netstandard2.0", "System.Memory.Data", "1.0.2.0"),
                 CreateAssembly("netstandard2.0", "System.Text.Json", "4.0.1.2"),
@@ -65,14 +65,13 @@ public static void Initialize(string rootPath, IConditionalAssemblyContext conte
                 CreateAssembly("netstandard2.0", "System.Threading.Tasks.Extensions", "4.2.0.1").WithWindowsPowerShell(),
 
                 CreateAssembly("netfx", "Azure.Core", "1.35.0.0").WithWindowsPowerShell(),
-                CreateAssembly("netfx", "Microsoft.Identity.Client", "4.49.1.0").WithWindowsPowerShell(),
-                CreateAssembly("netfx", "Microsoft.Identity.Client.Extensions.Msal", "2.23.0.0").WithWindowsPowerShell(),
                 CreateAssembly("netfx", "Newtonsoft.Json", "13.0.0.0").WithWindowsPowerShell(),
                 CreateAssembly("netfx", "System.Diagnostics.DiagnosticSource", "6.0.0.1").WithWindowsPowerShell(),
                 CreateAssembly("netfx", "System.Numerics.Vectors", "4.1.4.0").WithWindowsPowerShell(),
                 CreateAssembly("netfx", "System.Reflection.DispatchProxy", "4.0.4.0").WithWindowsPowerShell(),
                 CreateAssembly("netfx", "System.Runtime.CompilerServices.Unsafe", "6.0.0.0").WithWindowsPowerShell(),
                 CreateAssembly("netfx", "System.Security.Cryptography.Cng", "4.3.0.0").WithWindowsPowerShell(),
+                CreateAssembly("netfx", "System.Security.Cryptography.ProtectedData", "4.5.0.0").WithWindowsPowerShell(),
                 CreateAssembly("netfx", "System.Text.Encodings.Web", "4.0.5.1").WithWindowsPowerShell(),
                 CreateAssembly("netfx", "System.Xml.ReaderWriter", "4.1.0.0").WithWindowsPowerShell(),
                 #endregion

diff --git a/src/Accounts/Authentication/Authentication.csproj b/src/Accounts/Authentication/Authentication.csproj
@@ -12,10 +12,10 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Azure.Identity" Version="1.6.1" />
-    <PackageReference Include="Azure.Identity.BrokeredAuthentication" Version="1.0.0-beta.3" />
-    <PackageReference Include="Microsoft.Identity.Client" Version="4.49.1" />
-    <PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="2.23.0" />
+    <PackageReference Include="Azure.Identity" Version="1.10.3" />
+    <PackageReference Include="Azure.Identity.Broker" Version="1.0.0-beta.5" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.56.0" />
+    <PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="4.56.0" />
   </ItemGroup>
 
   <ItemGroup>

diff --git a/src/Accounts/Authentication/Authentication/TokenCache/AdalTokenMigrator.cs b/src/Accounts/Authentication/Authentication/TokenCache/AdalTokenMigrator.cs
@@ -38,7 +38,7 @@ public AdalTokenMigrator(byte[] adalToken, Func<IAzureContextContainer> getConte
             ContextContainerInitializer = new Lazy<IAzureContextContainer>(getContextContainer);
         }
 
-        public void MigrateFromAdalToMsal()
+        public void MigrateFromAdalToMsal(string tokenCacheFile)
         {
             MsalCacheHelper cacheHelper = null;
             var builder = PublicClientApplicationBuilder.Create(Constants.PowerShellClientId);
@@ -61,7 +61,7 @@ public void MigrateFromAdalToMsal()
                         if (!HasRegistered)
                         {
                             HasRegistered = true;
-                            cacheHelper = MsalCacheHelperProvider.GetCacheHelper();
+                            cacheHelper = MsalCacheHelperProvider.GetCacheHelper(tokenCacheFile);
                             cacheHelper.RegisterCache(clientApplication.UserTokenCache);
                         }
                     }

diff --git a/src/Accounts/Authentication/Authentication/TokenCache/PowerShellTokenCacheProvider.cs b/src/Accounts/Authentication/Authentication/TokenCache/PowerShellTokenCacheProvider.cs
@@ -27,7 +27,6 @@
 using Microsoft.Azure.PowerShell.Common.Config;
 using Microsoft.Identity.Client;
 using Microsoft.Identity.Client.Broker;
-using Microsoft.Rest;
 
 namespace Microsoft.Azure.Commands.Common.Authentication
 {
@@ -174,7 +173,7 @@ public virtual IPublicClientApplication CreatePublicClient(string authority = nu
             if (AzureSession.Instance.TryGetComponent<IConfigManager>(nameof(IConfigManager), out var config)
                 && config.GetConfigValue<bool>(ConfigKeys.EnableLoginByWam))
             {
-                builder = builder.WithBrokerPreview();
+                builder = builder.WithBroker(new BrokerOptions(BrokerOptions.OperatingSystems.Windows));
             }
             if (!string.IsNullOrEmpty(authority))
             {

diff --git a/src/Accounts/Authentication/Authentication/TokenCache/SharedTokenCacheProvider.cs b/src/Accounts/Authentication/Authentication/TokenCache/SharedTokenCacheProvider.cs
@@ -34,7 +34,8 @@ public SharedTokenCacheProvider(byte[] adalTokenCache = null)
             AdalTokenCache = adalTokenCache;
             TokenCachePersistenceOptions = new TokenCachePersistenceOptions()
             {
-                UnsafeAllowUnencryptedStorage = true
+                UnsafeAllowUnencryptedStorage = true,
+                Name = MsalCacheHelperProvider.GetTokenCacheNameWithoutSuffix(AzureSession.Instance.TokenCacheFile)
             };
         }
 
@@ -136,7 +137,7 @@ private static MsalCacheHelper GetCacheHelper()
 
         private static MsalCacheHelper CreateCacheHelper()
         {
-            return MsalCacheHelperProvider.GetCacheHelper();
+            return MsalCacheHelperProvider.GetCacheHelper(AzureSession.Instance.TokenCacheFile);
         }
 
         public override TokenCachePersistenceOptions GetTokenCachePersistenceOptions()

diff --git a/src/Accounts/Authentication/AzureSessionInitializer.cs b/src/Accounts/Authentication/AzureSessionInitializer.cs
@@ -12,30 +12,31 @@
 // limitations under the License.
 // ----------------------------------------------------------------------------------
 
-using System;
-using System.Diagnostics;
-using System.IO;
-using System.Linq;
-
 using Hyak.Common;
 
 using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
 using Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core;
 using Microsoft.Azure.Commands.Common.Authentication.Authentication.TokenCache;
-using Microsoft.Azure.Commands.Common.Authentication.Factories;
-using Microsoft.Azure.Commands.Common.Authentication.Properties;
 using Microsoft.Azure.Commands.Common.Authentication.Config;
-using Newtonsoft.Json;
+using Microsoft.Azure.Commands.Common.Authentication.Factories;
 using Microsoft.Azure.Commands.Common.Authentication.Models;
+using Microsoft.Azure.Commands.Common.Authentication.Properties;
+using Microsoft.Azure.Commands.Common.Authentication.Utilities;
+using Microsoft.Identity.Client.Extensions.Msal;
+using Microsoft.WindowsAzure.Commands.Common;
+using Microsoft.WindowsAzure.Commands.Common.Utilities;
+using Microsoft.WindowsAzure.Commands.Utilities.Common;
 
+using Newtonsoft.Json;
 
-using TraceLevel = System.Diagnostics.TraceLevel;
+using System;
 using System.Collections.Generic;
+using System.Diagnostics;
+using System.IO;
+using System.Linq;
 using System.Threading;
-using Microsoft.WindowsAzure.Commands.Utilities.Common;
-using Microsoft.Azure.Commands.Common.Authentication.Utilities;
-using Microsoft.WindowsAzure.Commands.Common.Utilities;
-using Microsoft.WindowsAzure.Commands.Common;
+
+using TraceLevel = System.Diagnostics.TraceLevel;
 
 namespace Microsoft.Azure.Commands.Common.Authentication
 {
@@ -119,7 +120,7 @@ public static void MigrateAdalCache(IAzureSession session, Func<IAzureContextCon
                 }
 
                 var adalCachePath = Path.Combine(session.ProfileDirectory, "TokenCache.dat");
-                var msalCachePath = Path.Combine(session.TokenCacheDirectory, "msal.cache");
+                var msalCachePath = Path.Combine(session.TokenCacheDirectory, session.TokenCacheFile);
                 var store = session.DataStore;
                 if (!store.FileExists(adalCachePath) || store.FileExists(msalCachePath))
                 {
@@ -142,7 +143,7 @@ public static void MigrateAdalCache(IAzureSession session, Func<IAzureContextCon
 
                 if (adalData != null && adalData.Length > 0)
                 {
-                    new AdalTokenMigrator(adalData, getContextContainer).MigrateFromAdalToMsal();
+                    new AdalTokenMigrator(adalData, getContextContainer).MigrateFromAdalToMsal(session.TokenCacheFile);
                 }
             }
             catch (Exception e)
@@ -151,6 +152,35 @@ public static void MigrateAdalCache(IAzureSession session, Func<IAzureContextCon
             }
         }
 
+        public static void MigrateMsalCacheWithoutSuffix(IAzureSession session, Action<string> writeWarning)
+        {
+            try
+            {
+                if (session.ARMContextSaveMode == ContextSaveMode.CurrentUser)
+                {
+                    var oldMsalCachePath = Path.Combine(MsalCacheHelperProvider.MsalTokenCachePath, MsalCacheHelperProvider.LegacyTokenCacheName);
+                    var newMsalCachePath = Path.Combine(MsalCacheHelperProvider.MsalTokenCachePath, session.TokenCacheFile);
+                    var store = session.DataStore;
+                    if (store.FileExists(oldMsalCachePath) && !store.FileExists(newMsalCachePath))
+                    {
+                        MsalCacheHelperProvider.Reset();
+                        MsalCacheHelper oldCacheHelper = MsalCacheHelperProvider.GetCacheHelper(MsalCacheHelperProvider.LegacyTokenCacheName);
+                        var data = oldCacheHelper.LoadUnencryptedTokenCache();
+                        if (data != null && data.Length > 0)
+                        {
+                            MsalCacheHelperProvider.Reset();
+                            MsalCacheHelper newCacheHelper = MsalCacheHelperProvider.GetCacheHelper(session.TokenCacheFile);
+                            newCacheHelper.SaveUnencryptedTokenCache(data);
+                        }
+                    }
+                }
+            }
+            catch (Exception e)
+            {
+                writeWarning(Resources.FailedToMigrateMsalCacheWithLegayName.FormatInvariant(e.Message));
+            }
+        }
+
         static ContextAutosaveSettings InitializeSessionSettings(IDataStore store, string profileDirectory, string settingsFile, bool migrated = false)
         {
             return InitializeSessionSettings(store, profileDirectory, profileDirectory, settingsFile, migrated);
@@ -163,7 +193,7 @@ static ContextAutosaveSettings InitializeSessionSettings(IDataStore store, strin
                 CacheDirectory = cacheDirectory,
                 ContextDirectory = profileDirectory,
                 Mode = ContextSaveMode.Process,
-                CacheFile = "msal.cache",
+                CacheFile = MsalCacheHelperProvider.LegacyTokenCacheName,
                 ContextFile = "AzureRmContext.json"
             };
 
@@ -181,6 +211,7 @@ static ContextAutosaveSettings InitializeSessionSettings(IDataStore store, strin
                     result.Mode = settings.Mode;
                     result.ContextFile = settings.ContextFile ?? result.ContextFile;
                     result.Settings = settings.Settings;
+                    result.KeyStoreFile = settings.KeyStoreFile;
                     bool updateSettings = false;
                     if (!settings.Settings.ContainsKey("InstallationId"))
                     {
@@ -271,8 +302,8 @@ static IAzureSession CreateInstance(IDataStore dataStore = null, Action<string>
             session.ARMProfileDirectory = autoSave.ContextDirectory;
             session.ARMProfileFile = autoSave.ContextFile;
             session.TokenCacheDirectory = autoSave.CacheDirectory;
-            session.TokenCacheFile = autoSave.CacheFile;
-            session.KeyStoreFile = "keystore.cache";
+            session.TokenCacheFile = MsalCacheHelperProvider.GetTokenCacheName(autoSave.CacheFile, true);
+            session.KeyStoreFile = autoSave.KeyStoreFile ?? "keystore.cache";
             autoSave.Settings.TryGetValue("InstallationId", out string installationId);
             session.ExtendedProperties.Add("InstallationId", installationId);
             InitializeConfigs(session, profilePath, writeWarning);

diff --git a/src/Accounts/Authentication/Identity/AbstractAcquireTokenParameterBuilderExtensions.cs b/src/Accounts/Authentication/Identity/AbstractAcquireTokenParameterBuilderExtensions.cs
@@ -0,0 +1,36 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+//
+
+using System.Threading;
+using System.Threading.Tasks;
+using Microsoft.Identity.Client;
+
+namespace Microsoft.Azure.PowerShell.Authenticators.Identity
+{
+    internal static class AbstractAcquireTokenParameterBuilderExtensions
+    {
+        public static async ValueTask<AuthenticationResult> ExecuteAsync<T>(this AbstractAcquireTokenParameterBuilder<T> builder, bool async, CancellationToken cancellationToken)
+            where T : AbstractAcquireTokenParameterBuilder<T>
+        {
+            Microsoft.Identity.Client.AuthenticationResult result = async
+                ? await builder.ExecuteAsync(cancellationToken).ConfigureAwait(false)
+#pragma warning disable AZC0102 // Do not use GetAwaiter().GetResult(). Use the TaskExtensions.EnsureCompleted() extension method instead.
+                : builder.ExecuteAsync(cancellationToken).GetAwaiter().GetResult();
+#pragma warning restore AZC0102 // Do not use GetAwaiter().GetResult(). Use the TaskExtensions.EnsureCompleted() extension method instead.
+
+            return result;
+        }
+    }
+}
diff --git a/src/Accounts/Authentication/Identity/AuthenticationAccount.cs b/src/Accounts/Authentication/Identity/AuthenticationAccount.cs
@@ -0,0 +1,36 @@
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+//
+using Microsoft.Identity.Client;
+
+namespace Microsoft.Azure.PowerShell.Authenticators.Identity
+{
+    internal class AuthenticationAccount : IAccount
+    {
+        private AuthenticationRecord _profile;
+
+        internal AuthenticationAccount(AuthenticationRecord profile)
+        {
+            _profile = profile;
+        }
+
+        string IAccount.Username => _profile.Username;
+
+        string IAccount.Environment => _profile.Authority;
+
+        AccountId IAccount.HomeAccountId => _profile.AccountId;
+
+        public static explicit operator AuthenticationAccount(AuthenticationRecord profile) => new AuthenticationAccount(profile);
+        public static explicit operator AuthenticationRecord(AuthenticationAccount account) => account._profile;
+    }
+}