Merge branch 'dev' of https://github.com/Azure/azure-cli into support-confidential-vm-v2

Author: yanzhudd

src/azure-cli-core/azure/cli/core/_profile.py

@@ -360,17 +360,20 @@ def get_raw_token(self, resource=None, scopes=None, subscription=None, tenant=No
 
         managed_identity_type, managed_identity_id = Profile._parse_managed_identity_account(account)
 
+        non_current_tenant_template = ("For {} account, getting access token for non-current tenants is not "
+                                       "supported. The specified tenant must be the current tenant "
+                                       f"{account[_TENANT_ID]}")
         if in_cloud_console() and account[_USER_ENTITY].get(_CLOUD_SHELL_ID):
             # Cloud Shell
-            if tenant:
-                raise CLIError("Tenant shouldn't be specified for Cloud Shell account")
+            if tenant and tenant != account[_TENANT_ID]:
+                raise CLIError(non_current_tenant_template.format('Cloud Shell'))
             from .auth.msal_credentials import CloudShellCredential
             cred = CloudShellCredential()
 
         elif managed_identity_type:
             # managed identity
-            if tenant:
-                raise CLIError("Tenant shouldn't be specified for managed identity account")
+            if tenant and tenant != account[_TENANT_ID]:
+                raise CLIError(non_current_tenant_template.format('managed identity'))
             cred = ManagedIdentityAuth.credential_factory(managed_identity_type, managed_identity_id)
             if credential_out:
                 credential_out['credential'] = cred

src/azure-cli-core/azure/cli/core/tests/test_profile.py

@@ -1134,9 +1134,15 @@ def test_get_raw_token_mi_system_assigned(self):
         self.assertEqual(subscription_id, self.test_mi_subscription_id)
         self.assertEqual(tenant_id, self.test_mi_tenant)
 
-        # verify tenant shouldn't be specified for MSI account
-        with self.assertRaisesRegex(CLIError, "Tenant shouldn't be specified"):
-            cred, subscription_id, _ = profile.get_raw_token(resource='http://test_resource', tenant=self.tenant_id)
+        # Specifying the current tenant is allowed
+        cred, subscription_id, tenant_id = profile.get_raw_token(tenant=self.test_mi_tenant)
+        self.assertEqual(tenant_id, self.test_mi_tenant)
+
+        # Specifying a non-current tenant is disallowed
+        with self.assertRaisesRegex(CLIError,
+                                    "For managed identity account, getting access token for non-current tenants is "
+                                    "not supported"):
+            profile.get_raw_token(tenant='another-tenant')
 
     @mock.patch('azure.cli.core.auth.util.now_timestamp', new=now_timestamp_mock)
     @mock.patch('azure.cli.core.auth.msal_credentials.ManagedIdentityCredential', ManagedIdentityCredentialStub)
@@ -1285,9 +1291,15 @@ def cloud_shell_credential_factory():
         self.assertEqual(subscription_id, test_subscription_id)
         self.assertEqual(tenant_id, test_tenant_id)
 
-        # Verify tenant shouldn't be specified for Cloud Shell account
-        with self.assertRaisesRegex(CLIError, 'Cloud Shell'):
-            profile.get_raw_token(resource='http://test_resource', tenant=self.tenant_id)
+        # Specifying the current tenant is allowed
+        cred, subscription_id, tenant_id = profile.get_raw_token(tenant=test_tenant_id)
+        self.assertEqual(tenant_id, test_tenant_id)
+
+        # Specifying a non-current tenant is disallowed
+        with self.assertRaisesRegex(CLIError,
+                                    "For Cloud Shell account, getting access token for non-current tenants is "
+                                    "not supported"):
+            profile.get_raw_token(tenant='another-tenant')
 
     @mock.patch('azure.cli.core.auth.identity.Identity.get_user_credential')
     def test_get_msal_token(self, get_user_credential_mock):

src/azure-cli-core/azure/cli/core/util.py

@@ -1164,12 +1164,6 @@ def __exit__(self, exc_type, exc_val, exc_tb):
 
 
 def _ssl_context():
-    if sys.version_info < (3, 4) or (in_cloud_console() and platform.system() == 'Windows'):
-        try:
-            return ssl.SSLContext(ssl.PROTOCOL_TLS)  # added in python 2.7.13 and 3.6
-        except AttributeError:
-            return ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-
     return ssl.create_default_context()
 
 

src/azure-cli/azure/cli/command_modules/acr/helm.py

@@ -10,7 +10,7 @@
 from knack.util import CLIError
 from knack.log import get_logger
 
-from azure.cli.core.util import in_cloud_console, user_confirmation
+from azure.cli.core.util import user_confirmation
 
 from ._docker_utils import (
     get_access_credentials,
@@ -366,15 +366,7 @@ def _get_helm_package_name(client_version):
 
 
 def _ssl_context():
-    import sys
     import ssl
-
-    if sys.version_info < (3, 4) or (in_cloud_console() and platform.system() == 'Windows'):
-        try:
-            return ssl.SSLContext(ssl.PROTOCOL_TLS)  # added in python 2.7.13 and 3.6
-        except AttributeError:
-            return ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-
     return ssl.create_default_context()
 
 

src/azure-cli/azure/cli/command_modules/acs/custom.py

@@ -2218,13 +2218,6 @@ def k8s_install_kubelogin(cmd, client_version='latest', install_location=None, s
 
 
 def _ssl_context():
-    if sys.version_info < (3, 4) or (in_cloud_console() and platform.system() == 'Windows'):
-        try:
-            # added in python 2.7.13 and 3.6
-            return ssl.SSLContext(ssl.PROTOCOL_TLS)
-        except AttributeError:
-            return ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-
     return ssl.create_default_context()
 
 

src/azure-cli/azure/cli/command_modules/appservice/custom.py

@@ -41,7 +41,7 @@
 
 from azure.cli.core.commands.client_factory import get_mgmt_service_client
 from azure.cli.core.commands import LongRunningOperation
-from azure.cli.core.util import in_cloud_console, shell_safe_json_parse, open_page_in_browser, get_json_object, \
+from azure.cli.core.util import shell_safe_json_parse, open_page_in_browser, get_json_object, \
     ConfiguredDefaultSetter, sdk_no_wait
 from azure.cli.core.util import get_az_user_agent, send_raw_request, get_file_json
 from azure.cli.core.profiles import ResourceType, get_sdk
@@ -2676,12 +2676,6 @@ def _redact_storage_accounts(properties):
 
 
 def _ssl_context():
-    if sys.version_info < (3, 4) or (in_cloud_console() and sys.platform.system() == 'Windows'):
-        try:
-            return ssl.SSLContext(ssl.PROTOCOL_TLS)  # added in python 2.7.13 and 3.6
-        except AttributeError:
-            return ssl.SSLContext(ssl.PROTOCOL_TLSv1)
-
     return ssl.create_default_context()