[ACR] az acr login: Enforce using acr audience in aad token acquisition (#31798)

Author: northtyphoon

src/azure-cli/azure/cli/command_modules/acr/_docker_utils.py

@@ -28,7 +28,6 @@
 from ._constants import get_managed_sku
 from ._constants import ACR_AUDIENCE_RESOURCE_NAME
 from ._utils import get_registry_by_name, ResourceNotFound
-from .policy import acr_config_authentication_as_arm_show
 from ._format import add_timestamp
 from ._errors import CONNECTIVITY_TOOMANYREQUESTS_ERROR
 
@@ -135,18 +134,14 @@ def _get_aad_token_after_challenge(cli_ctx,
                                    artifact_repository,
                                    permission,
                                    is_diagnostics_context,
-                                   use_acr_audience,
                                    verify_user_permissions):
     authurl = urlparse(token_params['realm'])
     authhost = urlunparse((authurl[0], authurl[1], '/oauth2/exchange', '', '', ''))
 
     from azure.cli.core._profile import Profile
     profile = Profile(cli_ctx=cli_ctx)
 
-    scope = None
-    if use_acr_audience:
-        logger.debug("Using ACR audience token for authentication")
-        scope = "https://{}.azure.net".format(ACR_AUDIENCE_RESOURCE_NAME)
+    scope = "https://{}.azure.net".format(ACR_AUDIENCE_RESOURCE_NAME)
 
     # this might be a cross tenant scenario, so pass subscription to get_raw_token
     creds, _, tenant = profile.get_raw_token(subscription=get_subscription_id(cli_ctx),
@@ -267,7 +262,6 @@ def _get_aad_token(cli_ctx,
                    artifact_repository=None,
                    permission=None,
                    is_diagnostics_context=False,
-                   use_acr_audience=False,
                    verify_user_permissions=False):
     """Obtains refresh and access tokens for an AAD-enabled registry. Will return the allowed actions if
     verify_user_permissions is set to True.
@@ -296,7 +290,6 @@ def _get_aad_token(cli_ctx,
                                           artifact_repository,
                                           permission,
                                           is_diagnostics_context,
-                                          use_acr_audience,
                                           verify_user_permissions)
 
 
@@ -453,19 +446,12 @@ def _get_credentials(cmd,  # pylint: disable=too-many-statements
     if not registry or registry.sku.name in get_managed_sku(cmd):
         logger.info("Attempting to retrieve AAD refresh token...")
         try:
-            use_acr_audience = False
-
-            if registry:
-                aad_auth_policy = acr_config_authentication_as_arm_show(cmd, registry_name, resource_group_name)
-                use_acr_audience = (aad_auth_policy and aad_auth_policy.status == 'disabled')
-
             return login_server, EMPTY_GUID, _get_aad_token(cli_ctx,
                                                             login_server,
                                                             only_refresh_token,
                                                             repository,
                                                             artifact_repository,
-                                                            permission,
-                                                            use_acr_audience=use_acr_audience)
+                                                            permission)
         except CLIError as e:
             raise_toomanyrequests_error(str(e))
             logger.warning("%s: %s", AAD_TOKEN_BASE_ERROR_MESSAGE, str(e))

src/azure-cli/azure/cli/command_modules/acr/tests/latest/test_acr_commands_mock.py

@@ -1206,6 +1206,7 @@ def _core_token_scenarios(self, mock_get_raw_token, mock_requests_get, mock_requ
 
         # Test get refresh token
         get_login_credentials(cmd, registry_name, tenant_suffix=tenant_suffix)
+        self._validate_raw_token_request(mock_get_raw_token)
         self._validate_refresh_token_request(mock_requests_get, mock_requests_post, login_server)
 
         # Test get access token for container image repository
@@ -1237,6 +1238,9 @@ def _setup_mock_token_requests(self, mock_get_aad_token, mock_requests_get, mock
             'access_token': TEST_ACR_ACCESS_TOKEN}).encode()
         mock_requests_post.return_value = token_response
 
+    def _validate_raw_token_request(self, mock_get_raw_token):
+        mock_get_raw_token.assert_called_with(mock.ANY, resource="https://containerregistry.azure.net", subscription=mock.ANY)
+
     def _validate_refresh_token_request(self, mock_requests_get, mock_requests_post, login_server):
         mock_requests_get.assert_called_with('https://{}/v2/'.format(login_server), verify=mock.ANY)
         mock_requests_post.assert_called_with(