Do not throw an exception during AzureCliCredential construction, but rather delay it on GetToken() call. (#4979)

ahsonkhan · web-flow · commit b5c3c4971ded · 2023-10-05T20:31:29.000Z
* Do not throw an exception during `AzureCliCredential` construction, but rather delay it on GetToken() call.

* Update az cli unsafe chars test.
diff --git a/sdk/identity/azure-identity/src/azure_cli_credential.cpp b/sdk/identity/azure-identity/src/azure_cli_credential.cpp
@@ -92,8 +92,6 @@ AzureCliCredential::AzureCliCredential(
 {
   static_cast<void>(options);
 
-  ThrowIfNotSafeCmdLineInput(m_tenantId, "TenantID");
-
   IdentityLog::Write(
       IdentityLog::Level::Informational,
       GetCredentialName()
@@ -123,6 +121,7 @@ std::string AzureCliCredential::GetAzCommand(std::string const& scopes, std::str
     const
 {
   ThrowIfNotSafeCmdLineInput(scopes, "Scopes");
+  ThrowIfNotSafeCmdLineInput(m_tenantId, "TenantID");
   std::string command = "az account get-access-token --output json --scope \"" + scopes + "\"";
 
   if (!tenantId.empty())
diff --git a/sdk/identity/azure-identity/test/ut/azure_cli_credential_test.cpp b/sdk/identity/azure-identity/test/ut/azure_cli_credential_test.cpp
@@ -325,9 +325,11 @@ TEST(AzureCliCredential, UnsafeChars)
     AzureCliCredentialOptions options;
     options.TenantId = "01234567-89AB-CDEF-0123-456789ABCDEF";
     options.TenantId += Exploit;
+    AzureCliCredential azCliCred(options);
 
-    EXPECT_THROW(
-        static_cast<void>(std::make_unique<AzureCliCredential>(options)), AuthenticationException);
+    TokenRequestContext trc;
+    trc.Scopes.push_back(std::string("https://storage.azure.com/.default"));
+    EXPECT_THROW(static_cast<void>(azCliCred.GetToken(trc, {})), AuthenticationException);
   }
 
   {

Original file line number	Diff line number	Diff line change
`@@ -92,8 +92,6 @@ AzureCliCredential::AzureCliCredential(`
`92`	`92`	`{`
`93`	`93`	`static_cast<void>(options);`
`94`	`94`
`95`		`- ThrowIfNotSafeCmdLineInput(m_tenantId, "TenantID");`
`96`		`-`
`97`	`95`	`IdentityLog::Write(`
`98`	`96`	`IdentityLog::Level::Informational,`
`99`	`97`	`GetCredentialName()`
`@@ -123,6 +121,7 @@ std::string AzureCliCredential::GetAzCommand(std::string const& scopes, std::str`
`123`	`121`	`const`
`124`	`122`	`{`
`125`	`123`	`ThrowIfNotSafeCmdLineInput(scopes, "Scopes");`
	`124`	`+ ThrowIfNotSafeCmdLineInput(m_tenantId, "TenantID");`
`126`	`125`	`std::string command = "az account get-access-token --output json --scope \"" + scopes + "\"";`
`127`	`126`
`128`	`127`	`if (!tenantId.empty())`
Original file line number	Diff line number	Diff line change
`@@ -325,9 +325,11 @@ TEST(AzureCliCredential, UnsafeChars)`
`325`	`325`	`AzureCliCredentialOptions options;`
`326`	`326`	`options.TenantId = "01234567-89AB-CDEF-0123-456789ABCDEF";`
`327`	`327`	`options.TenantId += Exploit;`
	`328`	`+ AzureCliCredential azCliCred(options);`
`328`	`329`
`329`		`- EXPECT_THROW(`
`330`		`- static_cast<void>(std::make_unique<AzureCliCredential>(options)), AuthenticationException);`
	`330`	`+ TokenRequestContext trc;`
	`331`	`+ trc.Scopes.push_back(std::string("https://storage.azure.com/.default"));`
	`332`	`+ EXPECT_THROW(static_cast<void>(azCliCred.GetToken(trc, {})), AuthenticationException);`
`331`	`333`	`}`
`332`	`334`
`333`	`335`	`{`