Add support for AadWorkloadIdentity authentication mode.

sharpjs · sharpjs · commit c81212df81b1 · 2025-11-28T20:34:25.000-08:00
diff --git a/PSql.Tests/Tests.Unit/AzureAuthenticationModeExtensionsTests.cs b/PSql.Tests/Tests.Unit/AzureAuthenticationModeExtensionsTests.cs
@@ -9,15 +9,16 @@ namespace PSql.Tests.Unit;
 public class AzureAuthenticationModeExtensionsTests
 {
     [Test]
-    [TestCase(SqlPassword         , "Sql Password"                      )]
-    [TestCase(AadPassword         , "Active Directory Password"         )]
-    [TestCase(AadIntegrated       , "Active Directory Integrated"       )]
-    [TestCase(AadInteractive      , "Active Directory Interactive"      )]
-    [TestCase(AadServicePrincipal , "Active Directory Service Principal")]
-    [TestCase(AadDeviceCodeFlow   , "Active Directory Device Code Flow" )]
-    [TestCase(AadManagedIdentity  , "Active Directory Managed Identity" )]
-    [TestCase(AadDefault          , "Active Directory Default"          )]
-    [TestCase(-1                  , null                                )]
+    [TestCase(SqlPassword,         "Sql Password"                      )]
+    [TestCase(AadPassword,         "Active Directory Password"         )]
+    [TestCase(AadIntegrated,       "Active Directory Integrated"       )]
+    [TestCase(AadInteractive,      "Active Directory Interactive"      )]
+    [TestCase(AadServicePrincipal, "Active Directory Service Principal")]
+    [TestCase(AadDeviceCodeFlow,   "Active Directory Device Code Flow" )]
+    [TestCase(AadManagedIdentity,  "Active Directory Managed Identity" )]
+    [TestCase(AadDefault,          "Active Directory Default"          )]
+    [TestCase(AadWorkloadIdentity, "Active Directory Workload Identity")]
+    [TestCase(-1,                  null                                )]
     public void RenderForConnectionString(AzureAuthenticationMode mode, string? value)
     {
         mode.RenderForConnectionString().ShouldBe(value);
diff --git a/PSql.Tests/Tests.Unit/AzureSqlContextTests.cs b/PSql.Tests/Tests.Unit/AzureSqlContextTests.cs
@@ -23,6 +23,7 @@ private const string
         Auth_AadDeviceCodeFlow   = @"Authentication=""Active Directory Device Code Flow"";",
         Auth_AadManagedIdentity  = @"Authentication=""Active Directory Managed Identity"";",
         Auth_AadDefault          = @"Authentication=""Active Directory Default"";",
+        Auth_AadWorkloadIdentity = @"Authentication=""Active Directory Workload Identity"";",
         UserName                 = "User ID=user;",
         Password                 = "Password=pass;";
 
@@ -413,12 +414,13 @@ public void GetConnectionString_ExplicitDatabase_Parameter()
     }
 
     [Test]
-    [TestCase(Default,            Auth_AadIntegrated)]
-    [TestCase(AadIntegrated,      Auth_AadIntegrated)]
-    [TestCase(AadInteractive,     Auth_AadInteractive)]
-    [TestCase(AadDeviceCodeFlow,  Auth_AadDeviceCodeFlow)]
-    [TestCase(AadManagedIdentity, Auth_AadManagedIdentity)] // credential is optional
-    [TestCase(AadDefault,         Auth_AadDefault)]         // credential is optional
+    [TestCase(Default,             Auth_AadIntegrated)]
+    [TestCase(AadIntegrated,       Auth_AadIntegrated)]
+    [TestCase(AadInteractive,      Auth_AadInteractive)]
+    [TestCase(AadDeviceCodeFlow,   Auth_AadDeviceCodeFlow)]
+    [TestCase(AadManagedIdentity,  Auth_AadManagedIdentity)]  // credential is optional
+    [TestCase(AadDefault,          Auth_AadDefault)]          // credential is optional
+    [TestCase(AadWorkloadIdentity, Auth_AadWorkloadIdentity)] // credential is optional
     public void GetConnectionString_NoCredential(AzureAuthenticationMode mode, string fragment)
     {
         var context = new AzureSqlContext
@@ -447,6 +449,7 @@ public void GetConnectionString_NoCredential(AzureAuthenticationMode mode, strin
     [TestCase(AadDeviceCodeFlow  )]
     [TestCase(AadManagedIdentity )] // credential is optional
     [TestCase(AadDefault         )] // credential is optional
+    [TestCase(AadWorkloadIdentity)] // credential is optional
     public void GetConnectionString_NoCredential_Unsupported(AzureAuthenticationMode mode)
     {
         var context = new AzureSqlContext
@@ -488,15 +491,16 @@ public void GetConnectionString_NoCredential_Required(AzureAuthenticationMode mo
     }
 
     [Test]
-    [TestCase(Default,                                         UserName + Password)]
-    [TestCase(SqlPassword,                                     UserName + Password)]
-    [TestCase(AadPassword,          Auth_AadPassword         + UserName + Password)]
-    [TestCase(AadIntegrated,        Auth_AadIntegrated                            )]
-    [TestCase(AadInteractive,       Auth_AadInteractive                           )]
-    [TestCase(AadServicePrincipal,  Auth_AadServicePrincipal + UserName + Password)]
-    [TestCase(AadDeviceCodeFlow,    Auth_AadDeviceCodeFlow                        )]
-    [TestCase(AadManagedIdentity,   Auth_AadManagedIdentity  + UserName           )]
-    [TestCase(AadDefault,           Auth_AadDefault          + UserName           )]
+    [TestCase(Default,                                        UserName + Password)]
+    [TestCase(SqlPassword,                                    UserName + Password)]
+    [TestCase(AadPassword,         Auth_AadPassword         + UserName + Password)]
+    [TestCase(AadIntegrated,       Auth_AadIntegrated                            )]
+    [TestCase(AadInteractive,      Auth_AadInteractive                           )]
+    [TestCase(AadServicePrincipal, Auth_AadServicePrincipal + UserName + Password)]
+    [TestCase(AadDeviceCodeFlow,   Auth_AadDeviceCodeFlow                        )]
+    [TestCase(AadManagedIdentity,  Auth_AadManagedIdentity  + UserName           )]
+    [TestCase(AadDefault,          Auth_AadDefault          + UserName           )]
+    [TestCase(AadWorkloadIdentity, Auth_AadWorkloadIdentity + UserName           )]
     public void GetConnectionString_ExplicitCredential(AzureAuthenticationMode mode, string fragment)
     {
         var context = new AzureSqlContext
diff --git a/PSql.Tests/Tests.Unit/SqlClientVersionExtensionsTests.cs b/PSql.Tests/Tests.Unit/SqlClientVersionExtensionsTests.cs
@@ -10,21 +10,22 @@ namespace PSql;
 public class SqlClientVersionExtensionsTests
 {
     [Test]
-    //                                     2.1 1.1
-    //        MODE                    5 4 3 : 2 : 1 L
-    [TestCase(Default,             0b_1_1_1_1_1_1_1_0)]
-    [TestCase(SqlPassword,         0b_1_1_1_1_1_1_1_0)]
-    [TestCase(AadPassword,         0b_1_1_1_1_1_1_1_0)]
-    [TestCase(AadIntegrated,       0b_1_1_1_1_1_1_1_0)]
-    [TestCase(AadInteractive,      0b_1_1_1_1_1_1_1_0)]
-    [TestCase(AadServicePrincipal, 0b_1_1_1_1_1_0_0_0)]
-    [TestCase(AadDeviceCodeFlow,   0b_1_1_1_1_0_0_0_0)]
-    [TestCase(AadManagedIdentity,  0b_1_1_1_1_0_0_0_0)]
-    [TestCase(AadDefault,          0b_1_1_1_0_0_0_0_0)]
-    [TestCase(-1,                  0b_0_0_0_0_0_0_0_0)]
+    //                         MAJOR: 5 5 4 3 2 2 1 1
+    //        MODE             MINOR: 2 0 0 0 1 0 1 0 Legacy
+    [TestCase(Default,             0b_1_1_1_1_1_1_1_1_0)]
+    [TestCase(SqlPassword,         0b_1_1_1_1_1_1_1_1_0)]
+    [TestCase(AadPassword,         0b_1_1_1_1_1_1_1_1_0)]
+    [TestCase(AadIntegrated,       0b_1_1_1_1_1_1_1_1_0)]
+    [TestCase(AadInteractive,      0b_1_1_1_1_1_1_1_1_0)]
+    [TestCase(AadServicePrincipal, 0b_1_1_1_1_1_1_0_0_0)]
+    [TestCase(AadDeviceCodeFlow,   0b_1_1_1_1_1_0_0_0_0)]
+    [TestCase(AadManagedIdentity,  0b_1_1_1_1_1_0_0_0_0)]
+    [TestCase(AadDefault,          0b_1_1_1_1_0_0_0_0_0)]
+    [TestCase(AadWorkloadIdentity, 0b_1_0_0_0_0_0_0_0_0)]
+    [TestCase(-1,                  0b_0_0_0_0_0_0_0_0_0)]
     public void SupportsAuthenticationMode(AzureAuthenticationMode mode, long bitmap)                                                           
     {
-        for (var version = Legacy; version < Mds5; version++)
+        for (var version = Legacy; version < Latest; version++)
         {
             var expected = (bitmap & 1) != 0;
 
diff --git a/PSql/Data/AzureAuthenticationMode.cs b/PSql/Data/AzureAuthenticationMode.cs
@@ -85,7 +85,7 @@ public enum AzureAuthenticationMode // ~> M.D.S.SqlAuthenticationMethod
     /// <remarks>
     ///   For a user-assigned managed identity,
     ///     the <see cref="SqlContext.Credential"/> property's username
-    ///     should be the object ID of the identity; the password is ignored.
+    ///     should be the client ID of the identity; the password is ignored.
     ///   For a system-assigned managed identity,
     ///     the <see cref="SqlContext.Credential"/> property
     ///     should be <see langword="null"/>.
@@ -148,4 +148,18 @@ public enum AzureAuthenticationMode // ~> M.D.S.SqlAuthenticationMethod
     ///   </list>
     /// </remarks>
     AadDefault = 9, // ActiveDirectoryDefault
+
+    /// <summary>
+    ///   Entra ID workload identity authentication mode.
+    /// </summary>
+    /// <remarks>
+    ///   This mode is similar to managed identity authentication, except that
+    ///   default values are taken from environment variables.  If the
+    ///   <see cref="SqlContext.Credential"/> property is not
+    ///   <see langword="null"/>, the credential's username overrides any
+    ///   client ID found in the environment, and the credential's password is
+    ///   ignored.
+    /// </remarks>
+    /// <see href="https://learn.microsoft.com/en-ca/sql/connect/ado-net/sql/azure-active-directory-authentication#using-workload-identity-authentication"/>
+    AadWorkloadIdentity = 10, // ActiveDirectoryWorkloadIdentity
 }
diff --git a/PSql/Data/AzureSqlContext.cs b/PSql/Data/AzureSqlContext.cs
@@ -233,6 +233,7 @@ private protected override void
             // Optional, password ignored
             case AadManagedIdentity:
             case AadDefault:
+            case AadWorkloadIdentity:
                 if (!Credential.IsNullOrEmpty())
                     builder.AppendUserName(Credential.UserName);
                 break;
diff --git a/PSql/Utilities/AzureAuthenticationModeExtensions.cs b/PSql/Utilities/AzureAuthenticationModeExtensions.cs
@@ -19,6 +19,7 @@ internal static class AzureAuthenticationModeExtensions
             AadDeviceCodeFlow   => "Active Directory Device Code Flow",
             AadManagedIdentity  => "Active Directory Managed Identity",
             AadDefault          => "Active Directory Default",
+            AadWorkloadIdentity => "Active Directory Workload Identity",
             _                   => null,
         };
     }
diff --git a/PSql/Utilities/SqlClientVersionExtensions.cs b/PSql/Utilities/SqlClientVersionExtensions.cs
@@ -83,6 +83,7 @@ public static bool SupportsAuthenticationMode(
             AadDeviceCodeFlow   => version >= Mds2_1,
             AadManagedIdentity  => version >= Mds2_1,
             AadDefault          => version >= Mds3,
+            AadWorkloadIdentity => version >= Mds5_2,
             _                   => false,
         };
 
diff --git a/PSql/en-US/PSql.dll-help.xml b/PSql/en-US/PSql.dll-help.xml
@@ -937,7 +937,7 @@
             <dev:value>AadManagedIdentity</dev:value>
             <maml:description>
               <maml:para>
-                Entra ID managed identity authentication mode.  For a user-assigned identity, -Credential is required and should match the object ID of the identity; the password is ignored.  For a system-assigned identity, -Credential should be omitted.
+                Entra ID managed identity authentication mode.  For a user-assigned identity, -Credential is required and should match the client ID of the identity; the password is ignored.  For a system-assigned identity, -Credential should be omitted.
               </maml:para>
             </maml:description>
           </dev:possibleValue>
@@ -949,6 +949,14 @@
               </maml:para>
             </maml:description>
           </dev:possibleValue>
+          <dev:possibleValue>
+            <dev:value>AadWorkloadIdentity</dev:value>
+            <maml:description>
+              <maml:para>
+                Entra ID workload identity authentication mode.  This mode is similar to managed identity authentication, except that default values are taken from environment variables.  If a -Credential is provided, its username overrides any client ID found in the environment, and its password is ignored.
+              </maml:para>
+            </maml:description>
+          </dev:possibleValue>
         </dev:possibleValues>
       </command:parameter>
 

Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ internal static class AzureAuthenticationModeExtensions`
`19`	`19`	`AadDeviceCodeFlow => "Active Directory Device Code Flow",`
`20`	`20`	`AadManagedIdentity => "Active Directory Managed Identity",`
`21`	`21`	`AadDefault => "Active Directory Default",`
	`22`	`+ AadWorkloadIdentity => "Active Directory Workload Identity",`
`22`	`23`	`_ => null,`
`23`	`24`	`};`
`24`	`25`	`}`