init

jiasli · jiasli · commit 9962643648e4 · 2024-11-12T16:40:59.000+08:00
diff --git a/src/azure-cli-core/azure/cli/core/_profile.py b/src/azure-cli-core/azure/cli/core/_profile.py
@@ -226,59 +226,59 @@ def login_with_managed_identity(self, identity_id=None, allow_no_subscriptions=N
 
         import jwt
         from azure.mgmt.core.tools import is_valid_resource_id
-        from azure.cli.core.auth.adal_authentication import MSIAuthenticationWrapper
-        resource = self.cli_ctx.cloud.endpoints.active_directory_resource_id
+        from azure.cli.core.auth.msal_credentials import ManagedIdentityCredential
 
         if identity_id:
             if is_valid_resource_id(identity_id):
-                msi_creds = MSIAuthenticationWrapper(resource=resource, msi_res_id=identity_id)
+                cred = ManagedIdentityCredential(resource_id=identity_id)
+                cred.get_token(*self._arm_scope)
                 identity_type = MsiAccountTypes.user_assigned_resource_id
             else:
                 authenticated = False
-                from azure.cli.core.azclierror import AzureResponseError
                 try:
-                    msi_creds = MSIAuthenticationWrapper(resource=resource, client_id=identity_id)
+                    cred = ManagedIdentityCredential(client_id=identity_id)
+                    cred.get_token(*self._arm_scope)
                     identity_type = MsiAccountTypes.user_assigned_client_id
                     authenticated = True
-                except AzureResponseError as ex:
-                    if 'http error: 400, reason: Bad Request' in ex.error_msg:
-                        logger.info('Sniff: not an MSI client id')
+                except AuthenticationError as ex:
+                    if 'Identity not found' in ex.error_msg:
+                        logger.info('Sniff: not client id')
                     else:
                         raise
 
                 if not authenticated:
                     try:
+                        cred = ManagedIdentityCredential(object_id=identity_id)
+                        cred.get_token(*self._arm_scope)
                         identity_type = MsiAccountTypes.user_assigned_object_id
-                        msi_creds = MSIAuthenticationWrapper(resource=resource, object_id=identity_id)
                         authenticated = True
-                    except AzureResponseError as ex:
-                        if 'http error: 400, reason: Bad Request' in ex.error_msg:
-                            logger.info('Sniff: not an MSI object id')
+                    except AuthenticationError as ex:
+                        if 'Identity not found' in ex.error_msg:
+                            logger.info('Sniff: not object id')
                         else:
                             raise
 
                 if not authenticated:
-                    raise CLIError('Failed to connect to MSI, check your managed service identity id.')
+                    raise CLIError('Failed to connect to managed identity, check your managed identity ID.')
 
         else:
             identity_type = MsiAccountTypes.system_assigned
-            msi_creds = MSIAuthenticationWrapper(resource=resource)
+            cred = ManagedIdentityCredential()
 
-        token_entry = msi_creds.token
-        token = token_entry['access_token']
-        logger.info('MSI: token was retrieved. Now trying to initialize local accounts...')
+        token = cred.get_token(*self._arm_scope).token
+        logger.info('Managed identity: token was retrieved. Now trying to initialize local accounts...')
         decode = jwt.decode(token, algorithms=['RS256'], options={"verify_signature": False})
         tenant = decode['tid']
 
         subscription_finder = SubscriptionFinder(self.cli_ctx)
-        subscriptions = subscription_finder.find_using_specific_tenant(tenant, msi_creds)
+        subscriptions = subscription_finder.find_using_specific_tenant(tenant, cred)
         base_name = ('{}-{}'.format(identity_type, identity_id) if identity_id else identity_type)
         user = _USER_ASSIGNED_IDENTITY if identity_id else _SYSTEM_ASSIGNED_IDENTITY
         if not subscriptions:
             if allow_no_subscriptions:
                 subscriptions = self._build_tenant_level_accounts([tenant])
             else:
-                raise CLIError('No access was configured for the VM, hence no subscriptions were found. '
+                raise CLIError('No access was configured for the managed identity, hence no subscriptions were found. '
                                "If this is expected, use '--allow-no-subscriptions' to have tenant level access.")
 
         consolidated = self._normalize_properties(user, subscriptions, is_service_principal=True,
diff --git a/src/azure-cli-core/azure/cli/core/auth/identity.py b/src/azure-cli-core/azure/cli/core/auth/identity.py
@@ -41,11 +41,7 @@
 
 
 class Identity:  # pylint: disable=too-many-instance-attributes
-    """Class to manage identities:
-        - user
-        - service principal
-        - TODO: managed identity
-    """
+    """Manage user and service principal identities."""
 
     # MSAL token cache.
     # It follows singleton pattern so that all MSAL app instances share the same token cache.
@@ -200,12 +196,6 @@ def login_with_service_principal(self, client_id, credential, scopes):
         entry = sp_auth.get_entry_to_persist()
         self._service_principal_store.save_entry(entry)
 
-    def login_with_managed_identity(self, scopes, identity_id=None):  # pylint: disable=too-many-statements
-        raise NotImplementedError
-
-    def login_in_cloud_shell(self, scopes):
-        raise NotImplementedError
-
     def logout_user(self, username):
         # If username is an SP client ID, it is ignored
         accounts = self._msal_app.get_accounts(username)
@@ -252,9 +242,6 @@ def get_service_principal_credential(self, client_id):
         client_credential = ServicePrincipalAuth(entry).get_msal_client_credential()
         return ServicePrincipalCredential(client_id, client_credential, **self._msal_app_kwargs)
 
-    def get_managed_identity_credential(self, client_id=None):
-        raise NotImplementedError
-
 
 class ServicePrincipalAuth:  # pylint: disable=too-many-instance-attributes
     def __init__(self, entry):
diff --git a/src/azure-cli-core/azure/cli/core/auth/msal_credentials.py b/src/azure-cli-core/azure/cli/core/auth/msal_credentials.py
@@ -19,7 +19,7 @@
 from knack.log import get_logger
 from knack.util import CLIError
 from msal import (PublicClientApplication, ConfidentialClientApplication,
-                  ManagedIdentityClient, SystemAssignedManagedIdentity)
+                  ManagedIdentityClient, SystemAssignedManagedIdentity, UserAssignedManagedIdentity)
 
 from .constants import AZURE_CLI_CLIENT_ID
 from .util import check_result, build_sdk_access_token
@@ -139,9 +139,14 @@ class ManagedIdentityCredential:  # pylint: disable=too-few-public-methods
     Currently, only Azure Arc's system-assigned managed identity is supported.
     """
 
-    def __init__(self):
+    def __init__(self, client_id=None, resource_id=None, object_id=None):
         import requests
-        self._msal_client = ManagedIdentityClient(SystemAssignedManagedIdentity(), http_client=requests.Session())
+        if client_id or resource_id or object_id:
+            managed_identity = UserAssignedManagedIdentity(client_id=client_id, resource_id=resource_id,
+                                                           object_id=object_id)
+        else:
+            managed_identity = SystemAssignedManagedIdentity()
+        self._msal_client = ManagedIdentityClient(managed_identity, http_client=requests.Session())
 
     def get_token(self, *scopes, **kwargs):
         logger.debug("ManagedIdentityCredential.get_token: scopes=%r, kwargs=%r", scopes, kwargs)
