More updates

Author: bgavrilMS

Directory.Packages.props

@@ -39,8 +39,10 @@
   </ItemGroup>
   <ItemGroup>
     <!-- Packages for the tests -->
-    <PackageVersion Include="Azure.Security.KeyVault.Certificates" Version="4.6.0" />
-    <PackageVersion Include="Azure.Security.KeyVault.Secrets" Version="4.6.0" />
+    <PackageVersion Include="Azure.Security.KeyVault.Certificates" Version="4.7.0" />
+    <PackageVersion Include="Azure.Security.KeyVault.Secrets" Version="4.7.0" />
+    <PackageVersion Include="Azure.Identity" Version="1.13.1" />
+    <PackageVersion Include="Azure.Identity.Broker" Version="1.2.0" />
     <PackageVersion Include="BenchmarkDotNet" Version="0.13.6" />
     <PackageVersion Include="BenchmarkDotNet.Diagnostics.Windows" Version="0.13.6" />
     <PackageVersion Include="coverlet.collector" Version="3.1.2" />

tests/Microsoft.Identity.Test.Integration.netcore/HeadlessTests/CiamIntegrationTests.cs

@@ -199,11 +199,5 @@ public async Task OBOCiam_CustomDomain_ReturnsValidTokens()
             Assert.AreEqual(atHash, userCacheRecorder.LastAfterAccessNotificationArgs.SuggestedCacheKey);
             Assert.AreEqual(TokenSource.Cache, resultObo.AuthenticationResultMetadata.TokenSource);
         }
-
-        private string GetCiamSecret()
-        {
-            KeyVaultSecretsProvider provider = new KeyVaultSecretsProvider();
-            return provider.GetSecretByName("msidlabciam2-cc").Value;
-        }
     }
 }

tests/Microsoft.Identity.Test.Integration.netcore/Infrastructure/PoPValidator.cs

@@ -17,12 +17,7 @@ namespace Microsoft.Identity.Test.Integration.Infrastructure
     public class PoPValidator
     {
         // This endpoint is hosted in the MSID Lab and is able to verify any pop token bound to an HTTP request
-        private const string PoPValidatorEndpoint = "https://signedhttprequest.azurewebsites.net/api/validateSHR";
         private static HttpClient s_httpClient = new HttpClient();
-        private static Lazy<string> s_popValidationEndpointLazy = new Lazy<string>(
-            () => LabUserHelper.KeyVaultSecretsProviderMsal.GetSecretByName(
-                "automation-pop-validation-endpoint",
-                "841fc7c2ccdd48d7a9ef727e4ae84325").Value);
 
         /// <summary>
         /// This calls a special endpoint that validates any POP token against a configurable HTTP request.

tests/Microsoft.Identity.Test.LabInfrastructure/KeyVaultSecretsProvider.cs

@@ -24,7 +24,7 @@ public class KeyVaultInstance
         public const string MsalTeam = "https://buildautomation.vault.azure.net/";
     }
 
-    public class KeyVaultSecretsProvider : IDisposable
+    public class KeyVaultSecretsProvider
     {
         private CertificateClient _certificateClient;
         private SecretClient _secretClient;
@@ -58,41 +58,20 @@ public class KeyVaultSecretsProvider : IDisposable
         /// </remarks>
         public KeyVaultSecretsProvider(string keyVaultAddress = KeyVaultInstance.MSIDLab)
         {
-            var credentials = GetKeyVaultCredentialAsync().GetAwaiter().GetResult();
+            var credential = LabAuthenticationHelper.GetTokenCredential();
             var keyVaultAddressUri = new Uri(keyVaultAddress);
-            _certificateClient = new CertificateClient(keyVaultAddressUri, credentials);
-            _secretClient = new SecretClient(keyVaultAddressUri, credentials);
-        }
-
-        ~KeyVaultSecretsProvider()
-        {
-            Dispose();
+            _certificateClient = new CertificateClient(keyVaultAddressUri, credential);
+            _secretClient = new SecretClient(keyVaultAddressUri, credential);
         }
 
         public KeyVaultSecret GetSecretByName(string secretName)
         {
             return _secretClient.GetSecret(secretName).Value;
         }
-
-        public KeyVaultSecret GetSecretByName(string secretName, string secretVersion)
-        {
-            return _secretClient.GetSecret(secretName, secretVersion).Value;
-        }
-
+        
         public async Task<X509Certificate2> GetCertificateWithPrivateMaterialAsync(string certName)
         {
             return await _certificateClient.DownloadCertificateAsync(certName).ConfigureAwait(false);
-        }
-
-        private async Task<TokenCredential> GetKeyVaultCredentialAsync()
-        {
-            var accessToken = await LabAuthenticationHelper.GetKeyVaultAccessToken().ConfigureAwait(false);
-            return DelegatedTokenCredential.Create((_, __) => accessToken);
-        }
-
-        public void Dispose()
-        {
-            GC.SuppressFinalize(this);
-        }
+        }       
     }
 }

tests/Microsoft.Identity.Test.LabInfrastructure/LabAuthenticationHelper.cs

@@ -8,60 +8,103 @@
 using System.Threading.Tasks;
 using Azure.Core;
 using Microsoft.Identity.Client;
+using Microsoft.Identity.Client.Broker;
 using Microsoft.Identity.Test.Unit;
 using Microsoft.Identity.Test.Common.Core.Mocks;
 using Microsoft.Identity.Test.Common.Core.Helpers;
+using Azure.Identity;
+using System.Runtime.InteropServices;
+using System.Linq;
+using Azure.Identity.Broker;
+using System.Diagnostics;
+using System.Collections.Generic;
 
 namespace Microsoft.Identity.Test.LabInfrastructure
 {
     internal static class LabAuthenticationHelper
     {
         public static async Task<AccessToken> GetAccessTokenForLabAPIAsync()
         {
-            string[] scopes = [LabApiConstants.LabScope];
+            var tokenCredential = GetTokenCredential();
 
-            return await GetLabAccessTokenAsync(
-                LabApiConstants.LabClientInstance + LabApiConstants.LabClientTenantId, 
-                scopes).ConfigureAwait(false);
+            return await tokenCredential
+                           .GetTokenAsync(new TokenRequestContext([LabApiConstants.LabScope]), default)
+                           .ConfigureAwait(false);
         }
 
         public static async Task<AccessToken> GetKeyVaultAccessToken()
         {
-            var accessToken = await GetLabAccessTokenAsync(
-              "https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/",
-              new[] { "https://vault.azure.net/.default" }).ConfigureAwait(false);
+            var tokenCredential = GetTokenCredential();
 
-            return accessToken;
+            return await tokenCredential
+                            .GetTokenAsync(new TokenRequestContext(["https://vault.azure.net/.default"]), default)
+                            .ConfigureAwait(false);
         }
 
-        private static async Task<AccessToken> GetLabAccessTokenAsync(string authority, string[] scopes)
+        internal static TokenCredential GetTokenCredential()
         {
-            AuthenticationResult authResult;
-            IConfidentialClientApplication confidentialApp;
-            X509Certificate2 cert;
-
-            cert = CertificateHelper.FindCertificateByName(TestConstants.AutomationTestCertName);
-            if (cert == null)
+            TokenCredential tokenCredential;
+            if (Environment.GetEnvironmentVariable("TF_BUILD") == null)
+            {
+                Debug.WriteLine("[LabAPI] Not on CI, using interactive browser/broker credential");
+                tokenCredential = GetAzureCredentialForDevBox();
+            }
+            else
             {
-                throw new InvalidOperationException(
-                    "Test setup error - cannot find a certificate in the My store for KeyVault. This is available for Microsoft employees only.");
+                Debug.WriteLine("[LabAPI] On CI, using ADO federation");
+                tokenCredential = GetAzureCredentialForCI();
             }
 
-            confidentialApp = ConfidentialClientApplicationBuilder
-                .Create(LabApiConstants.LabClientId)
-                .WithAuthority(new Uri(authority), true)
-                .WithCacheOptions(CacheOptions.EnableSharedCacheOptions)
-                .WithCertificate(cert, true)
-                .Build();
+            return tokenCredential;
+        }
+
+        private static TokenCredential GetAzureCredentialForCI()
+        {
+            // as per https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/identity/Azure.Identity/samples/OtherCredentialSamples.md#authenticating-in-azure-pipelines-with-service-connections
+
+            string clientId = "4b7a4b0b-ecb2-409e-879a-1e21a15ddaf6"; // UAMI client ID
+            string tenantId = LabApiConstants.LabClientTenantId;
+            string serviceConnectionId = "6eeeb73d-37aa-4d78-83b7-728101b8bddd";
 
-            authResult = await confidentialApp
-                .AcquireTokenForClient(scopes)
-                .WithSendX5C(true)
-                .ExecuteAsync(CancellationToken.None)
-                .ConfigureAwait(false);
+            var pipelinesCredential = new AzurePipelinesCredential(
+                tenantId,
+                clientId,
+                serviceConnectionId,
+                Environment.GetEnvironmentVariable("SYSTEM_ACCESSTOKEN"),
+                new AzurePipelinesCredentialOptions()
+                {
+                    TokenCachePersistenceOptions = new TokenCachePersistenceOptions()
+                    {
+                        Name = "MSIDLabTokenCache",
+                        UnsafeAllowUnencryptedStorage = true // We generally use headless Linux, so cannot use LibSecret. This is the ~same level of protection as SSH keys.
+                    }
+                });
 
-            return new AccessToken(authResult.AccessToken, authResult.ExpiresOn);
+            return pipelinesCredential;
         }
-    }
 
+        // TODO: test this on MacOs / Linux WSL
+        private static TokenCredential GetAzureCredentialForDevBox()
+        {
+            InteractiveBrowserCredential interactiveBrowserCredential = new InteractiveBrowserCredential(
+            new InteractiveBrowserCredentialBrokerOptions(GetForegroundWindow())
+            {
+                ClientId = LabApiConstants.LabClientId,
+                TenantId = LabApiConstants.LabClientTenantId,
+                TokenCachePersistenceOptions = new TokenCachePersistenceOptions()
+                {
+                    Name = "MSIDLabTokenCache",
+                    UnsafeAllowUnencryptedStorage = true // We generally use headless Linux, so cannot use LibSecret. This is the ~same level of protection as SSH keys.
+                },
+                RedirectUri = new Uri("http://localhost"), // On Mac and Linux, MSAL will fallback to browser
+                UseDefaultBrokerAccount = true // 
+
+            });
+
+            return interactiveBrowserCredential;
+        }
+
+        [DllImport("user32.dll")]
+        private static extern IntPtr GetForegroundWindow();
+    }
 }

tests/Microsoft.Identity.Test.LabInfrastructure/LabUserHelper.cs

@@ -1,7 +1,4 @@
-// Copyright (c) Microsoft Corporation. All rights reserved.
-// Licensed under the MIT License.
-
-using System;
+using System;
 using System.Collections.Concurrent;
 using System.Diagnostics;
 using System.Threading.Tasks;
@@ -11,22 +8,41 @@ namespace Microsoft.Identity.Test.LabInfrastructure
 {
     public static class LabUserHelper
     {
-        private static readonly LabServiceApi s_labService;
+        private static readonly LabServiceApi s_labService = new LabServiceApi();
         private static readonly ConcurrentDictionary<UserQuery, LabResponse> s_userCache =
             new ConcurrentDictionary<UserQuery, LabResponse>();
 
-        public static KeyVaultSecretsProvider KeyVaultSecretsProviderMsal { get; }
-        public static KeyVaultSecretsProvider KeyVaultSecretsProviderMsid { get; }
+        public static KeyVaultSecretsProvider KeyVaultSecretsProviderMsal { get; private set; }
+        public static KeyVaultSecretsProvider KeyVaultSecretsProviderMsid { get; private set; }
+
+        private static bool _isInitialized = false;
+        private static readonly object _initializationLock = new object();
 
-        static LabUserHelper()
+        public static void Initialize()
         {
-            KeyVaultSecretsProviderMsal = new KeyVaultSecretsProvider(KeyVaultInstance.MsalTeam);
-            KeyVaultSecretsProviderMsid = new KeyVaultSecretsProvider(KeyVaultInstance.MSIDLab);
-            s_labService = new LabServiceApi();
+            if (_isInitialized)
+            {
+                return;
+            }
+
+            lock (_initializationLock)
+            {
+                if (_isInitialized)
+                {
+                    return;
+                }
+
+                KeyVaultSecretsProviderMsal = new KeyVaultSecretsProvider(KeyVaultInstance.MsalTeam);
+                KeyVaultSecretsProviderMsid = new KeyVaultSecretsProvider(KeyVaultInstance.MSIDLab);
+
+                _isInitialized = true;
+            }
         }
 
         internal static async Task<LabResponse> GetLabUserDataAsync(UserQuery query)
         {
+            Initialize();
+
             if (s_userCache.ContainsKey(query))
             {
                 Trace.WriteLine("Lab user cache hit. Selected user: " + s_userCache[query].User.Upn);
@@ -54,23 +70,16 @@ public static Task<LabResponse> GetLabUserDataForSpecificUserAsync(string upn)
 
         public static async Task<string> GetMSIEnvironmentVariablesAsync(string uri)
         {
+            Initialize();
             string result = await s_labService.GetLabResponseAsync(uri).ConfigureAwait(false);
             return result;
         }
 
-        /// <summary>
-        /// Returns the AAD cloud user idlab1@msidlab4.onmicrosoft.com
-        /// </summary>
-        /// <returns></returns>
         public static Task<LabResponse> GetDefaultUserAsync()
         {
             return GetLabUserDataAsync(UserQuery.PublicAadUserQuery);
         }
 
-        /// <summary>
-        /// Returns the AAD cloud user idlab@msidlab4.onmicrosoft.com
-        /// </summary>
-        /// <returns></returns>
         public static Task<LabResponse> GetDefaultUser2Async()
         {
             return GetLabUserDataAsync(UserQuery.PublicAadUser2Query);
@@ -112,9 +121,6 @@ public static async Task<LabResponse> GetB2CMSAAccountAsync()
             return response;
         }
 
-        /// <summary>
-        /// Gets a user for which you know the UPN.
-        /// </summary>
         public static Task<LabResponse> GetSpecificUserAsync(string upn)
         {
             return GetLabUserDataAsync(new UserQuery() { Upn = upn });

tests/Microsoft.Identity.Test.LabInfrastructure/Microsoft.Identity.Test.LabInfrastructure.csproj

@@ -8,10 +8,13 @@
   <ItemGroup>
     <PackageReference Include="Azure.Security.KeyVault.Certificates" />
     <PackageReference Include="Azure.Security.KeyVault.Secrets" />    
+    <PackageReference Include="Azure.Identity" />
+    <PackageReference Include="Azure.Identity.Broker" />
     <PackageReference Include="Newtonsoft.Json" />
   </ItemGroup>
 
   <ItemGroup>
+    <ProjectReference Include="..\..\src\client\Microsoft.Identity.Client.Broker\Microsoft.Identity.Client.Broker.csproj" />
     <ProjectReference Include="..\..\src\client\Microsoft.Identity.Client\Microsoft.Identity.Client.csproj">
       <Project>{3433eb33-114a-4db7-bc57-14f17f55da3c}</Project>
       <Name>Microsoft.Identity.Client</Name>