[azopenai] Plumb InsecureAllowCredentialWithHTTP through every client constructor (Azure#23233)

Extending client to also allow insecure auth on all the client constructors using InsecureAllowCredentialWithHTTP.

Author: richardpark-msft

sdk/ai/azopenai/CHANGELOG.md

@@ -8,7 +8,7 @@
 
 ### Bugs Fixed
 
-- Ai sdk custom_client now respects `InsecureAllowCredentialWithHTTP` flag for allowing insecure connections. (PR#23188)
+- Client now respects the `InsecureAllowCredentialWithHTTP` flag for allowing non-HTTPS connections. Thank you @ukrocks007!  (PR#23188)
 
 ### Other Changes
 

sdk/ai/azopenai/client_test.go

@@ -8,14 +8,18 @@ package azopenai_test
 
 import (
 	"context"
+	"fmt"
 	"net/http"
+	"net/http/httptest"
 	"reflect"
 	"testing"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/ai/azopenai"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore/policy"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
 	"github.com/Azure/azure-sdk-for-go/sdk/internal/recording"
+	"github.com/Azure/azure-sdk-for-go/sdk/internal/test/credential"
 	"github.com/stretchr/testify/require"
 )
 
@@ -57,3 +61,93 @@ func TestClient_EmptyOptionsChecking(t *testing.T) {
 		require.Emptyf(t, fields, "%T is ignored in our function signatures because it's empty", v)
 	}
 }
+
+func TestClient_InsecureHTTPAllowed(t *testing.T) {
+	const fakeID = "fake-id"
+
+	hf := func(resp http.ResponseWriter, req *http.Request) {
+		// _just_ enough of a response to prove we made it through the pipeline.
+		_, err := resp.Write([]byte(fmt.Sprintf("{ \"id\": \"%s\" }", fakeID)))
+		require.NoError(t, err)
+	}
+
+	urlCh := make(chan string)
+
+	go func() {
+		// start an HTTP service
+		server := httptest.NewServer(http.HandlerFunc(hf))
+		urlCh <- server.URL
+		t.Cleanup(server.Close)
+	}()
+
+	url := <-urlCh
+	t.Logf(url)
+
+	t.Run("DefaultsToHTTPSOnly", func(t *testing.T) {
+		client, err := azopenai.NewClientForOpenAI(url, azcore.NewKeyCredential("fake-key"), nil)
+		require.NoError(t, err)
+
+		resp, err := client.GetChatCompletions(context.Background(), azopenai.ChatCompletionsOptions{
+			Messages: []azopenai.ChatRequestMessageClassification{},
+		}, nil)
+		require.Empty(t, resp)
+		require.EqualError(t, err, "authenticated requests are not permitted for non TLS protected (https) endpoints")
+
+		client, err = azopenai.NewClientWithKeyCredential(url, azcore.NewKeyCredential("fake-key"), nil)
+		require.NoError(t, err)
+
+		resp, err = client.GetChatCompletions(context.Background(), azopenai.ChatCompletionsOptions{
+			Messages: []azopenai.ChatRequestMessageClassification{},
+		}, nil)
+		require.Empty(t, resp)
+		require.EqualError(t, err, "authenticated requests are not permitted for non TLS protected (https) endpoints")
+
+		fakeCred := &credential.Fake{}
+
+		client, err = azopenai.NewClient(url, fakeCred, nil)
+		require.NoError(t, err)
+
+		resp, err = client.GetChatCompletions(context.Background(), azopenai.ChatCompletionsOptions{
+			Messages: []azopenai.ChatRequestMessageClassification{},
+		}, nil)
+		require.Empty(t, resp)
+		require.EqualError(t, err, "authenticated requests are not permitted for non TLS protected (https) endpoints")
+	})
+
+	t.Run("InsecureAllowCredentialWithHTTP", func(t *testing.T) {
+		clientOptions := &azopenai.ClientOptions{
+			ClientOptions: policy.ClientOptions{
+				InsecureAllowCredentialWithHTTP: true,
+			},
+		}
+
+		client, err := azopenai.NewClientForOpenAI(url, azcore.NewKeyCredential("fake-key"), clientOptions)
+		require.NoError(t, err)
+
+		resp, err := client.GetChatCompletions(context.Background(), azopenai.ChatCompletionsOptions{
+			Messages: []azopenai.ChatRequestMessageClassification{},
+		}, nil)
+		require.NoError(t, err)
+		require.Equal(t, fakeID, *resp.ID)
+
+		client, err = azopenai.NewClientWithKeyCredential(url, azcore.NewKeyCredential("fake-key"), clientOptions)
+		require.NoError(t, err)
+
+		resp, err = client.GetChatCompletions(context.Background(), azopenai.ChatCompletionsOptions{
+			Messages: []azopenai.ChatRequestMessageClassification{},
+		}, nil)
+		require.NoError(t, err)
+		require.Equal(t, fakeID, *resp.ID)
+
+		fakeCred := &credential.Fake{}
+
+		client, err = azopenai.NewClient(url, fakeCred, clientOptions)
+		require.NoError(t, err)
+
+		resp, err = client.GetChatCompletions(context.Background(), azopenai.ChatCompletionsOptions{
+			Messages: []azopenai.ChatRequestMessageClassification{},
+		}, nil)
+		require.NoError(t, err)
+		require.Equal(t, fakeID, *resp.ID)
+	})
+}

sdk/ai/azopenai/custom_client.go

@@ -44,8 +44,13 @@ func NewClient(endpoint string, credential azcore.TokenCredential, options *Clie
 		options = &ClientOptions{}
 	}
 
-	authPolicy := runtime.NewBearerTokenPolicy(credential, []string{tokenScope}, nil)
-	azcoreClient, err := azcore.NewClient(clientName, version, runtime.PipelineOptions{PerRetry: []policy.Policy{authPolicy}}, &options.ClientOptions)
+	authPolicy := runtime.NewBearerTokenPolicy(credential, []string{tokenScope}, &policy.BearerTokenOptions{
+		InsecureAllowCredentialWithHTTP: allowInsecure(options),
+	})
+
+	azcoreClient, err := azcore.NewClient(clientName, version, runtime.PipelineOptions{
+		PerRetry: []policy.Policy{authPolicy},
+	}, &options.ClientOptions)
 
 	if err != nil {
 		return nil, err
@@ -69,8 +74,13 @@ func NewClientWithKeyCredential(endpoint string, credential *azcore.KeyCredentia
 		options = &ClientOptions{}
 	}
 
-	authPolicy := runtime.NewKeyCredentialPolicy(credential, "api-key", nil)
-	azcoreClient, err := azcore.NewClient(clientName, version, runtime.PipelineOptions{PerRetry: []policy.Policy{authPolicy}}, &options.ClientOptions)
+	authPolicy := runtime.NewKeyCredentialPolicy(credential, "api-key", &runtime.KeyCredentialPolicyOptions{
+		InsecureAllowCredentialWithHTTP: allowInsecure(options),
+	})
+
+	azcoreClient, err := azcore.NewClient(clientName, version, runtime.PipelineOptions{
+		PerRetry: []policy.Policy{authPolicy},
+	}, &options.ClientOptions)
 	if err != nil {
 		return nil, err
 	}
@@ -95,11 +105,14 @@ func NewClientForOpenAI(endpoint string, credential *azcore.KeyCredential, optio
 
 	kp := runtime.NewKeyCredentialPolicy(credential, "authorization", &runtime.KeyCredentialPolicyOptions{
 		Prefix:                          "Bearer ",
-		InsecureAllowCredentialWithHTTP: options.InsecureAllowCredentialWithHTTP,
+		InsecureAllowCredentialWithHTTP: allowInsecure(options),
 	})
 
 	azcoreClient, err := azcore.NewClient(clientName, version, runtime.PipelineOptions{
-		PerRetry: []policy.Policy{kp, newOpenAIPolicy()},
+		PerRetry: []policy.Policy{
+			kp,
+			newOpenAIPolicy(),
+		},
 	}, &options.ClientOptions)
 
 	if err != nil {
@@ -308,3 +321,7 @@ func (c ChatRequestUserMessageContent) MarshalJSON() ([]byte, error) {
 func (c *ChatRequestUserMessageContent) UnmarshalJSON(data []byte) error {
 	return json.Unmarshal(data, &c.value)
 }
+
+func allowInsecure(options *ClientOptions) bool {
+	return options != nil && options.InsecureAllowCredentialWithHTTP
+}