{AuthV2} az webapp auth update: Fix --excluded-paths logic (#9315)

* az webapp auth update --excluded-path silently truncates or misparses path value
Fixes #31803

* linting

* added fix for authV2 parsing with testing, rerecorded all cassettes

* fixed testing

* updated tests

* updated tests location for sku

Author: a0x1ab

src/authV2/HISTORY.rst

@@ -3,6 +3,10 @@
 Release History
 ===============
 
+1.0.1
+++++++
+* Fix excluded paths parsing in `az webapp auth update` command.
+
 1.0.0
 ++++++
 * Update module documentation.

src/authV2/azext_authV2/custom.py

@@ -159,8 +159,16 @@ def update_auth_settings_v2(cmd, resource_group_name, name, set_string=None, ena
     if excluded_paths is not None:
         if "globalValidation" not in existing_auth.keys():
             existing_auth["globalValidation"] = {}
-        excluded_paths_list_string = excluded_paths[1:-1]
-        existing_auth["globalValidation"]["excludedPaths"] = excluded_paths_list_string.split(",")
+        try:
+            parsed = json.loads(excluded_paths)
+            if isinstance(parsed, list):
+                excluded_paths_list = parsed
+            else:
+                excluded_paths_list = [parsed] if parsed else []
+        except json.JSONDecodeError:
+            excluded_paths_list = excluded_paths.split(",")
+
+        existing_auth["globalValidation"]["excludedPaths"] = excluded_paths_list
 
     existing_auth = update_http_settings_in_auth_settings(existing_auth, require_https,
                                                           proxy_convention, proxy_custom_host_header,

src/authV2/azext_authV2/tests/latest/recordings/test_authV2_auth.yaml

@@ -16,11 +16,12 @@
 class Authv2ScenarioTest(ScenarioTest):
 
     @ResourceGroupPreparer(name_prefix='cli_test_authV2')
+    @AllowLargeResponse()
     def test_authV2_clientsecret_param_combinations(self, resource_group):
         webapp_name = self.create_random_name('webapp-authentication-test', 40)
         plan_name = self.create_random_name('webapp-authentication-plan', 40)
         self.cmd(
-            'appservice plan create -g {} -n {} --sku S1'.format(resource_group, plan_name))
+            'appservice plan create -g {} -n {} --sku S1 --location westus2'.format(resource_group, plan_name))
         self.cmd(
             'webapp create -g {} -n {} --plan {}'.format(resource_group, webapp_name, plan_name))
         self.cmd('webapp auth config-version show -g {} -n {}'.format(resource_group, webapp_name)).assert_with_checks([
@@ -29,13 +30,15 @@ def test_authV2_clientsecret_param_combinations(self, resource_group):
 
         # testing show command for newly created app and initial fields
         self.cmd('webapp auth show -g {} -n {}'.format(resource_group, webapp_name)).assert_with_checks([
-            JMESPathCheck('properties', {})
+            JMESPathCheck('properties.platform.enabled', False)
         ])
+        self.cmd('webapp auth config-version upgrade -g {} -n {}'.format(resource_group, webapp_name))
 
         # # update and verify
         self.cmd('webapp auth update -g {} -n {} --enabled true --runtime-version 1.2.8'
                 .format(resource_group, webapp_name)).assert_with_checks([
-                    JMESPathCheck('platform', "{'enabled': True, 'runtimeVersion': '1.2.8'}")
+                    JMESPathCheck('platform.enabled', True),
+                    JMESPathCheck('platform.runtimeVersion', '1.2.8')
         ])
 
         with self.assertRaisesRegex(ArgumentUsageError, 'Usage Error: --client-secret and --client-secret-setting-name cannot both be '
@@ -79,11 +82,12 @@ def test_authV2_clientsecret_param_combinations(self, resource_group):
                 .format(resource_group, webapp_name))
 
     @ResourceGroupPreparer(name_prefix='cli_test_authV2')
+    @AllowLargeResponse()
     def test_authV2_auth(self, resource_group):
         webapp_name = self.create_random_name('webapp-authentication-test', 40)
         plan_name = self.create_random_name('webapp-authentication-plan', 40)
         self.cmd(
-            'appservice plan create -g {} -n {} --sku S1'.format(resource_group, plan_name))
+            'appservice plan create -g {} -n {} --sku S1 --location westus2'.format(resource_group, plan_name))
         self.cmd(
             'webapp create -g {} -n {} --plan {}'.format(resource_group, webapp_name, plan_name))
         self.cmd('webapp auth config-version show -g {} -n {}'.format(resource_group, webapp_name)).assert_with_checks([
@@ -92,22 +96,26 @@ def test_authV2_auth(self, resource_group):
 
         # testing show command for newly created app and initial fields
         self.cmd('webapp auth show -g {} -n {}'.format(resource_group, webapp_name)).assert_with_checks([
-            JMESPathCheck('properties', {})
+            JMESPathCheck('properties.platform.enabled', False)
         ])
+        
+        self.cmd('webapp auth config-version upgrade -g {} -n {}'.format(resource_group, webapp_name))
 
         # # update and verify
         self.cmd('webapp auth update -g {} -n {} --enabled true --runtime-version 1.2.8'
                 .format(resource_group, webapp_name)).assert_with_checks([
-                    JMESPathCheck('platform', "{'enabled': True, 'runtimeVersion': '1.2.8'}")
+                    JMESPathCheck('platform.enabled', True),
+                    JMESPathCheck('platform.runtimeVersion', '1.2.8')
         ])
 
 
     @ResourceGroupPreparer(name_prefix='cli_test_authV2')
+    @AllowLargeResponse()
     def test_authV2_authclassic(self, resource_group):
         webapp_name = self.create_random_name('webapp-authentication-test', 40)
         plan_name = self.create_random_name('webapp-authentication-plan', 40)
         self.cmd(
-            'appservice plan create -g {} -n {} --sku S1'.format(resource_group, plan_name))
+            'appservice plan create -g {} -n {} --sku S1 --location westus2'.format(resource_group, plan_name))
         self.cmd(
             'webapp create -g {} -n {} --plan {}'.format(resource_group, webapp_name, plan_name))
         self.cmd('webapp auth config-version show -g {} -n {}'.format(resource_group, webapp_name)).assert_with_checks([
@@ -154,3 +162,57 @@ def test_authV2_authclassic(self, resource_group):
             JMESPathCheck('facebookAppId', 'facebook_id')]).get_output_in_json()
 
         self.assertIn('https://audience1', result['allowedAudiences'])
+
+    @ResourceGroupPreparer(name_prefix='cli_test_authV2')
+    @AllowLargeResponse()
+    def test_authV2_excluded_paths_parsing(self, resource_group):
+        webapp_name = self.create_random_name('webapp-authentication-test', 40)
+        plan_name = self.create_random_name('webapp-authentication-plan', 40)
+        self.cmd(
+            'appservice plan create -g {} -n {} --sku S1 --location westus2'.format(resource_group, plan_name))
+        self.cmd(
+            'webapp create -g {} -n {} --plan {}'.format(resource_group, webapp_name, plan_name))
+        self.cmd('webapp auth config-version show -g {} -n {}'.format(resource_group, webapp_name)).assert_with_checks([
+            JMESPathCheck('configVersion', 'v1')
+        ])
+
+        self.cmd('webapp auth show -g {} -n {}'.format(resource_group, webapp_name)).assert_with_checks([
+            JMESPathCheck('properties.platform.enabled', False)
+        ])
+        self.cmd('webapp auth config-version upgrade -g {} -n {}'.format(resource_group, webapp_name))
+
+        # # update and verify
+        # test single path
+        self.cmd('webapp auth update -g {} -n {} --enabled true --excluded-paths "/health"'
+                .format(resource_group, webapp_name)).assert_with_checks([
+                    JMESPathCheck('platform.enabled', True),
+                    JMESPathCheck('globalValidation.excludedPaths[0]', '/health')
+        ])
+
+        # test multiple comma separated paths
+        self.cmd('webapp auth update -g {} -n {} --excluded-paths "/health,/status,/metrics"'
+                .format(resource_group, webapp_name)).assert_with_checks([
+                    JMESPathCheck('globalValidation.excludedPaths[0]', '/health'),
+                    JMESPathCheck('globalValidation.excludedPaths[1]', '/status'),
+                    JMESPathCheck('globalValidation.excludedPaths[2]', '/metrics')
+        ])
+
+        # test JSON array format
+        self.cmd('webapp auth update -g {} -n {} --excluded-paths \'["/api/health", "/api/status"]\''
+                .format(resource_group, webapp_name)).assert_with_checks([
+                    JMESPathCheck('globalValidation.excludedPaths[0]', '/api/health'),
+                    JMESPathCheck('globalValidation.excludedPaths[1]', '/api/status')
+        ])
+
+        # test paths with special characters
+        self.cmd('webapp auth update -g {} -n {} --excluded-paths "/api/v1/health,/webhook/callback"'
+                .format(resource_group, webapp_name)).assert_with_checks([
+                    JMESPathCheck('globalValidation.excludedPaths[0]', '/api/v1/health'),
+                    JMESPathCheck('globalValidation.excludedPaths[1]', '/webhook/callback')
+        ])
+
+        # test single path without leading slash
+        self.cmd('webapp auth update -g {} -n {} --excluded-paths "public"'
+                .format(resource_group, webapp_name)).assert_with_checks([
+                    JMESPathCheck('globalValidation.excludedPaths[0]', 'public')
+        ])

src/authV2/azext_authV2/tests/latest/recordings/test_authV2_authclassic.yaml

@@ -14,7 +14,7 @@
     from distutils import log as logger
     logger.warn("Wheel is not available, disabling bdist_wheel hook")
 
-VERSION = '1.0.0'
+VERSION = '1.0.1'
 
 # The full list of classifiers is available at
 # https://pypi.python.org/pypi?%3Aaction=list_classifiers