Merge branch 'Azure:dev' into acr_podman

Author: cpressland

src/azure-cli-core/azure/cli/core/auth/msal_credentials.py

@@ -51,8 +51,7 @@ def acquire_token(self, scopes, claims_challenge=None, **kwargs):
                      scopes, claims_challenge, kwargs)
 
         if claims_challenge:
-            logger.warning('Acquiring new access token silently for tenant %s with claims challenge: %s',
-                           self._msal_app.authority.tenant, claims_challenge)
+            logger.info('Acquiring new access token silently with claims challenge: %s', claims_challenge)
         result = self._msal_app.acquire_token_silent_with_error(
             scopes, self._account, claims_challenge=claims_challenge, **kwargs)
 

src/azure-cli-core/azure/cli/core/auth/tests/test_util.py

@@ -68,6 +68,15 @@ def test_generate_login_command(self):
         assert actual == ('az login --tenant "21987a97-4e85-47c5-9a13-9dc3e11b2a9a" '
                           '--scope "https://management.core.windows.net//.default"')
 
+        # tenant, scopes and claims_challenge
+        actual = _generate_login_command(
+            tenant='21987a97-4e85-47c5-9a13-9dc3e11b2a9a',
+            scopes=["https://management.core.windows.net//.default"],
+            claims_challenge='{"access_token":{"acrs":{"essential":true,"values":["p1"]}}}')
+        assert actual == ('az logout\n'
+                          'az login --tenant "21987a97-4e85-47c5-9a13-9dc3e11b2a9a" '
+                          '--scope "https://management.core.windows.net//.default" '
+                          '--claims-challenge "eyJhY2Nlc3NfdG9rZW4iOnsiYWNycyI6eyJlc3NlbnRpYWwiOnRydWUsInZhbHVlcyI6WyJwMSJdfX19"')
 
 
 if __name__ == '__main__':

src/azure-cli-core/azure/cli/core/auth/util.py

@@ -20,7 +20,7 @@
     "To pass a service principal certificate, use --certificate instead.")
 
 
-def aad_error_handler(error, **kwargs):
+def aad_error_handler(error, tenant=None, scopes=None, claims_challenge=None):
     """ Handle the error from AAD server returned by ADAL or MSAL. """
 
     # https://learn.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes
@@ -41,11 +41,21 @@ def aad_error_handler(error, **kwargs):
     error_codes = error.get('error_codes')
 
     # Build recommendation message
+    recommendation = None
     if error_codes and 7000215 in error_codes:
         recommendation = PASSWORD_CERTIFICATE_WARNING
     else:
-        login_command = _generate_login_command(**kwargs)
-        recommendation = "Interactive authentication is needed. Please run:\n{}".format(login_command)
+        login_command = _generate_login_command(tenant=tenant, scopes=scopes, claims_challenge=claims_challenge)
+        login_message = ('Run the command below to authenticate interactively; '
+                         'additional arguments may be added as needed:\n'
+                         f'{login_command}')
+
+        # During a challenge, the exception will caught by azure-mgmt-core, so we show a warning now
+        if claims_challenge:
+            logger.info('Failed to acquire token silently. Error detail: %s', error_description)
+            logger.warning(login_message)
+        else:
+            recommendation = login_message
 
     from azure.cli.core.azclierror import AuthenticationError
     raise AuthenticationError(error_description, msal_error=error, recommendation=recommendation)
@@ -69,10 +79,14 @@ def _generate_login_command(tenant=None, scopes=None, claims_challenge=None):
 
     # Rejected by CAE
     if claims_challenge:
-        # Explicit logout is needed: https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/335
-        return 'az logout\n' + ' '.join(login_command)
+        from azure.cli.core.util import b64encode
+        # Base64 encode the claims_challenge to avoid shell interpretation
+        claims_challenge_encoded = b64encode(claims_challenge)
+        login_command.extend(['--claims-challenge', f'"{claims_challenge_encoded}"'])
 
-    return ' '.join(login_command)
+    # Explicit logout is preferred, making sure MSAL cache is purged:
+    # https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/335
+    return 'az logout\n' + ' '.join(login_command)
 
 
 def resource_to_scopes(resource):
@@ -113,7 +127,7 @@ def scopes_to_resource(scopes):
     return scope
 
 
-def check_result(result, **kwargs):
+def check_result(result, tenant=None, scopes=None, claims_challenge=None):
     """Parse the result returned by MSAL:
 
     1. Check if the MSAL result contains a valid access token.
@@ -132,7 +146,7 @@ def check_result(result, **kwargs):
         set_msal_telemetry(result['msal_telemetry'])
 
     if 'error' in result:
-        aad_error_handler(result, **kwargs)
+        aad_error_handler(result, tenant=tenant, scopes=scopes, claims_challenge=claims_challenge)
 
     # For user authentication
     if 'id_token_claims' in result:

src/azure-cli-core/azure/cli/core/profiles/_shared.py

@@ -186,10 +186,7 @@ def default_api_version(self):
         ResourceType.MGMT_RESOURCE_PRIVATELINKS: '2020-05-01',
         ResourceType.MGMT_RESOURCE_MANAGEDAPPLICATIONS: '2019-07-01',
         ResourceType.MGMT_NETWORK_PRIVATEDNS: None,
-        ResourceType.MGMT_KEYVAULT: SDKProfile('2024-11-01', {
-            'vaults': '2023-02-01',
-            'managed_hsms': '2024-11-01'
-        }),
+        ResourceType.MGMT_KEYVAULT: None,
         ResourceType.MGMT_AUTHORIZATION: SDKProfile('2022-04-01', {
             'role_definitions': '2022-05-01-preview',
             'provider_operations_metadata': '2018-01-01-preview'
@@ -219,18 +216,18 @@ def default_api_version(self):
         ResourceType.DATA_STORAGE_QUEUE: '2018-03-28',
         ResourceType.DATA_COSMOS_TABLE: '2017-04-17',
         ResourceType.DATA_STORAGE_TABLE: None,
-        ResourceType.MGMT_SERVICEBUS: '2022-10-01-preview',
-        ResourceType.MGMT_EVENTHUB: '2022-01-01-preview',
+        ResourceType.MGMT_SERVICEBUS: None,
+        ResourceType.MGMT_EVENTHUB: None,
         ResourceType.MGMT_MONITOR: None,
         ResourceType.MGMT_MSI: '2023-01-31',
-        ResourceType.MGMT_APPSERVICE: '2023-01-01',
+        ResourceType.MGMT_APPSERVICE: '2024-11-01',
         ResourceType.MGMT_IOTHUB: '2023-06-30-preview',
         ResourceType.MGMT_IOTDPS: '2021-10-15',
         ResourceType.MGMT_IOTCENTRAL: '2021-11-01-preview',
         ResourceType.MGMT_ARO: '2023-11-22',
         ResourceType.MGMT_DATABOXEDGE: '2021-02-01-preview',
         ResourceType.MGMT_CUSTOMLOCATION: '2021-03-15-preview',
-        ResourceType.MGMT_CONTAINERSERVICE: SDKProfile('2025-04-01'),
+        ResourceType.MGMT_CONTAINERSERVICE: SDKProfile('2025-05-01'),
         ResourceType.MGMT_APPCONTAINERS: '2022-10-01',
     }
 }
@@ -259,10 +256,6 @@ def default_api_version(self):
         'VERSION_2025_03_01_PREVIEW': "2025-03-01-preview",
         'VERSION_2025_04_01': "2025-04-01"
     },
-    ResourceType.MGMT_CONTAINERSERVICE: {
-        # src/azure-cli/azure/cli/command_modules/acs/tests/latest/test_custom.py:50
-        'ManagedClusterAddonProfile': '2020-03-01',
-    },
     ResourceType.MGMT_MSI: {
         'user_assigned_identities': '2022-01-31-preview',
     }

src/azure-cli-testsdk/azure/cli/testsdk/utilities.py

@@ -223,8 +223,12 @@ def _replace_email_address(self, text):
     def process_request(self, request):
         request.uri = self._replace_email_address(request.uri)
         if request.body:
-            body = _byte_to_str(request.body)
-            request.body = self._replace_email_address(body)
+            try:
+                body = _byte_to_str(request.body)
+                request.body = self._replace_email_address(body)
+            except UnicodeDecodeError:
+                # If the body is not a string, we cannot decode it, so we skip the replacement
+                pass
         return request
 
     def process_response(self, response):

src/azure-cli/azure/cli/command_modules/acs/tests/latest/recordings/test_aks_abort.yaml

@@ -15,7 +15,7 @@ interactions:
       User-Agent:
       - AZURECLI/2.72.0 azsdk-python-core/1.31.0 Python/3.10.11 (Windows-10-10.0.26100-SP0)
     method: GET
-    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002?api-version=2025-04-01
+    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002?api-version=2025-05-01
   response:
     body:
       string: '{"error":{"code":"ResourceNotFound","message":"The Resource ''Microsoft.ContainerService/managedClusters/cliakstest000002''
@@ -125,7 +125,7 @@ interactions:
       User-Agent:
       - AZURECLI/2.72.0 azsdk-python-core/1.31.0 Python/3.10.11 (Windows-10-10.0.26100-SP0)
     method: PUT
-    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002?api-version=2025-04-01
+    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002?api-version=2025-05-01
   response:
     body:
       string: "{\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002\",\n
@@ -221,7 +221,7 @@ interactions:
       User-Agent:
       - AZURECLI/2.72.0 azsdk-python-core/1.31.0 Python/3.10.11 (Windows-10-10.0.26100-SP0)
     method: GET
-    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002?api-version=2025-04-01
+    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002?api-version=2025-05-01
   response:
     body:
       string: "{\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002\",\n
@@ -313,7 +313,7 @@ interactions:
       User-Agent:
       - AZURECLI/2.72.0 azsdk-python-core/1.31.0 Python/3.10.11 (Windows-10-10.0.26100-SP0)
     method: POST
-    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedclusters/cliakstest000002/abort?api-version=2025-04-01
+    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedclusters/cliakstest000002/abort?api-version=2025-05-01
   response:
     body:
       string: "{\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002\",\n
@@ -565,7 +565,7 @@ interactions:
       User-Agent:
       - AZURECLI/2.72.0 azsdk-python-core/1.31.0 Python/3.10.11 (Windows-10-10.0.26100-SP0)
     method: GET
-    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002?api-version=2025-04-01
+    uri: https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002?api-version=2025-05-01
   response:
     body:
       string: "{\n \"id\": \"/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/clitest000001/providers/Microsoft.ContainerService/managedClusters/cliakstest000002\",\n