Identity fix powershell bugs (#41266)

* fix ordering of arguments for Windows

* Pass through Out-String to strip control codes (color, etc)

* Change call to Get-AzAccessToken to parse secure string and ignore warnings

* fix command building on Linux

* add a live test

* Redo how we send the command to powershell, include a version check for older versions of Az.Accounts.

* checkstyle

* Update ci.yml

* roll back ci.yml change

* make appconfiguration use this version for testing

* Update sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java

Co-authored-by: Christopher Scott <[email protected]>

* roll back test

* update changelog

---------

Co-authored-by: Vinay Gera <[email protected]>
Co-authored-by: Christopher Scott <[email protected]>

Author: 3 people

eng/versioning/version_client.txt

@@ -482,6 +482,7 @@ io.clientcore:http-stress;1.0.0-beta.1;1.0.0-beta.1
 # note: The unreleased dependencies will not be manipulated with the automatic PR creation code.
 # In the pom, the version update tag after the version should name the unreleased package and the dependency version:
 # <!-- {x-version-update;unreleased_com.azure:azure-core;dependency} -->
+unreleased_com.azure:azure-identity;1.14.0-beta.1
 
 # Released Beta dependencies: Copy the entry from above, prepend "beta_", remove the current
 # version and set the version to the released beta. Released beta dependencies are only valid

sdk/appconfiguration/azure-data-appconfiguration/pom.xml

@@ -115,7 +115,7 @@
     <dependency>
       <groupId>com.azure</groupId>
       <artifactId>azure-identity</artifactId>
-      <version>1.13.1</version> <!-- {x-version-update;com.azure:azure-identity;dependency} -->
+      <version>1.14.0-beta.1</version> <!-- {x-version-update;unreleased_com.azure:azure-identity;dependency} -->
       <scope>test</scope>
     </dependency>
   </dependencies>

sdk/identity/azure-identity/CHANGELOG.md

@@ -7,6 +7,7 @@
 ### Breaking Changes
 
 ### Bugs Fixed
+- Fixed bugs in `AzurePowerShellCredential` - Fixed break on Windows related to ordering of parameters, and fixed [#41234](https://github.com/Azure/azure-sdk-for-java/issues/41234)
 
 ### Other Changes
 

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/IdentityClient.java

@@ -45,6 +45,7 @@
 import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.MalformedURLException;
+
 import java.net.Proxy;
 import java.net.Proxy.Type;
 import java.net.URI;
@@ -500,45 +501,63 @@ private Mono<AccessToken> getAccessTokenFromPowerShell(TokenRequestContext reque
             throw LOGGER.logExceptionAsError(ex);
         }
         return Mono.defer(() -> {
-            String azAccountsCommand = "Import-Module Az.Accounts -MinimumVersion 2.2.0 -PassThru";
-            return powershellManager.runCommand(azAccountsCommand).flatMap(output -> {
-                if (output.contains("The specified module 'Az.Accounts' with version '2.2.0' was not loaded "
-                                    + "because no valid module file")) {
+            String sep = System.lineSeparator();
+
+            String command = "$ErrorActionPreference = 'Stop'" + sep
+                + "[version]$minimumVersion = '2.2.0'" + sep
+                + "" + sep
+                + "$m = Import-Module Az.Accounts -MinimumVersion $minimumVersion -PassThru -ErrorAction SilentlyContinue" + sep
+                + "" + sep
+                + "if (! $m) {" + sep
+                + "    Write-Output 'VersionTooOld'" + sep
+                + "    exit" + sep
+                + "}" + sep
+                + "" + sep
+                + "$useSecureString = $m.Version -ge [version]'2.17.0'" + sep
+                + "" + sep
+                + "$params = @{" + sep
+                + "    'WarningAction'='Ignore'" + sep
+                + "    'ResourceUrl'='" + scope + "'" + sep
+                + "}" + sep
+                + "" + sep
+                + "if ($useSecureString) {" + sep
+                + "    $params['AsSecureString'] = $true" + sep
+                + "}" + sep
+                + "" + sep
+                + "$token = Get-AzAccessToken @params" + sep
+                + "$customToken = New-Object -TypeName psobject" + sep
+                + "" + sep
+                + "$customToken | Add-Member -MemberType NoteProperty -Name Token -Value ($useSecureString -eq $true ? (ConvertFrom-SecureString -AsPlainText $token.Token) : $token.Token)" + sep
+                + "$customToken | Add-Member -MemberType NoteProperty -Name ExpiresOn -Value $token.ExpiresOn" + sep
+                + "" + sep
+                + "return $customToken | ConvertTo-Json";
+            return powershellManager.runCommand(command).flatMap(output -> {
+                if (output.contains("VersionTooOld")) {
                     return Mono.error(LoggingUtil.logCredentialUnavailableException(LOGGER, options,
                         new CredentialUnavailableException("Az.Account module with version >= 2.2.0 is not installed. "
-                                                           + "It needs to be installed to use Azure PowerShell "
-                                                           + "Credential.")));
+                            + "It needs to be installed to use Azure PowerShell "
+                            + "Credential.")));
                 }
 
-                LOGGER.verbose("Az.accounts module was found installed.");
-                String command = "Get-AzAccessToken -ResourceUrl '"
-                    + scope
-                    + "' | ConvertTo-Json";
-                LOGGER.verbose("Azure Powershell Authentication => Executing the command `{}` in Azure "
-                               + "Powershell to retrieve the Access Token.", command);
+                if (output.contains("Run Connect-AzAccount to login")) {
+                    return Mono.error(LoggingUtil.logCredentialUnavailableException(LOGGER, options,
+                        new CredentialUnavailableException(
+                            "Run Connect-AzAccount to login to Azure account in PowerShell.")));
+                }
 
-                return powershellManager.runCommand(command).flatMap(out -> {
-                    if (out.contains("Run Connect-AzAccount to login")) {
-                        return Mono.error(LoggingUtil.logCredentialUnavailableException(LOGGER, options,
-                            new CredentialUnavailableException(
-                                "Run Connect-AzAccount to login to Azure account in PowerShell.")));
-                    }
 
-                    try {
-                        LOGGER.verbose("Azure Powershell Authentication => Attempting to deserialize the "
-                                       + "received response from Azure Powershell.");
-                        Map<String, String> objectMap = SERIALIZER_ADAPTER.deserialize(out, Map.class,
-                            SerializerEncoding.JSON);
-                        String accessToken = objectMap.get("Token");
-                        String time = objectMap.get("ExpiresOn");
-                        OffsetDateTime expiresOn = OffsetDateTime.parse(time).withOffsetSameInstant(ZoneOffset.UTC);
-                        return Mono.just(new AccessToken(accessToken, expiresOn));
-                    } catch (IOException e) {
-                        return Mono.error(LoggingUtil.logCredentialUnavailableException(LOGGER, options,
-                            new CredentialUnavailableException(
-                                "Encountered error when deserializing response from Azure Power Shell.", e)));
-                    }
-                });
+                try {
+                    Map<String, String> objectMap = SERIALIZER_ADAPTER.deserialize(output, Map.class,
+                        SerializerEncoding.JSON);
+                    String accessToken = objectMap.get("Token");
+                    String time = objectMap.get("ExpiresOn");
+                    OffsetDateTime expiresOn = OffsetDateTime.parse(time).withOffsetSameInstant(ZoneOffset.UTC);
+                    return Mono.just(new AccessToken(accessToken, expiresOn));
+                } catch (IOException e) {
+                    return Mono.error(LoggingUtil.logCredentialUnavailableException(LOGGER, options,
+                        new CredentialUnavailableException(
+                            "Encountered error when deserializing response from Azure Power Shell.", e)));
+                }
             });
         });
     }

sdk/identity/azure-identity/src/main/java/com/azure/identity/implementation/PowershellManager.java

@@ -11,6 +11,7 @@
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
 import java.util.concurrent.TimeUnit;
 
 public class PowershellManager {
@@ -33,6 +34,7 @@ public Mono<String> runCommand(String input) {
             try {
                 String[] command = getCommandLine(input);
 
+
                 ProcessBuilder processBuilder = new ProcessBuilder(command);
                 processBuilder.redirectErrorStream(true);
                 Process process = processBuilder.start();
@@ -53,8 +55,10 @@ public Mono<String> runCommand(String input) {
     }
 
     String[] getCommandLine(String input) {
+        String base64Input = java.util.Base64.getEncoder().encodeToString(input.getBytes(StandardCharsets.UTF_16LE));
+
         return Platform.isWindows()
-            ? new String[]{powershellPath, "-Command", "-NoProfile", input}
-            : new String[]{"/bin/bash", "-c", String.format("%s -NoProfile -Command '%s'", powershellPath, input)};
+            ? new String[]{powershellPath, "-NoProfile", "-EncodedCommand", base64Input}
+            : new String[]{"/bin/bash", "-c", String.format("%s -NoProfile -EncodedCommand '%s'", powershellPath, base64Input)};
     }
 }