Log troubleshooting headers for AzurePipelinesCredential (Azure#46376)

christothes · web-flow · commit 08581f758b0b · 2024-10-01T10:18:41.000-05:00
diff --git a/sdk/identity/Azure.Identity.Broker/tests/PopTestClient.cs b/sdk/identity/Azure.Identity.Broker/tests/PopTestClient.cs
@@ -20,8 +20,7 @@ public PopTestClient(TokenCredential credential, ClientOptions options = null)
             var pipelineOptions = new HttpPipelineOptions(options);
             pipelineOptions.PerRetryPolicies.Add(new PopTokenAuthenticationPolicy(credential, "https://graph.microsoft.com/.default"));
             _pipeline = HttpPipelineBuilder.Build(
-                pipelineOptions,
-                new HttpPipelineTransportOptions { ServerCertificateCustomValidationCallback = (_) => true });
+                pipelineOptions);
         }
 
         [ForwardsClientCalls(true)]
diff --git a/sdk/identity/Azure.Identity/CHANGELOG.md b/sdk/identity/Azure.Identity/CHANGELOG.md
@@ -13,6 +13,8 @@
 
 ### Other Changes
 
+- Improved error logging for `AzurePipelinesCredential`.
+
 ## 1.13.0-beta.2 (2024-09-17)
 
 ### Features Added
diff --git a/sdk/identity/Azure.Identity/src/Credentials/AzurePipelinesCredential.cs b/sdk/identity/Azure.Identity/src/Credentials/AzurePipelinesCredential.cs
@@ -16,7 +16,7 @@ namespace Azure.Identity
     /// </summary>
     public class AzurePipelinesCredential : TokenCredential
     {
-        private const string Troubleshooting = "See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/azurepipelinescredential/troubleshoot";
+        internal const string Troubleshooting = "See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/azurepipelinescredential/troubleshoot";
         internal readonly string[] AdditionallyAllowedTenantIds;
         internal string SystemAccessToken { get; }
         internal string TenantId { get; }
@@ -151,7 +151,10 @@ internal string GetOidcTokenResponse(HttpMessage message)
                 string error = $"OIDC token not found in response. " + Troubleshooting;
                 if (message.Response.Status != 200)
                 {
-                    error = error + $"\n\nResponse= {message.Response.Content}";
+                    var is_x_vss_e2eidValueFound = message.Response.Headers.TryGetValue("x-vss-e2eid", out var x_vss_e2eidValue);
+                    var is_x_msedge_refValueFound = message.Response.Headers.TryGetValue("x-msedge-ref", out var x_msedge_refValue);
+
+                    error = error + $"\n\nResponse= {message.Response.Content}\n\nx-vss-e2eid= {(is_x_vss_e2eidValueFound ? x_vss_e2eidValue : "Not Found")}\n\nx-msedge-ref= {(is_x_msedge_refValueFound ? x_msedge_refValue : "Not Found")}";
                 }
                 throw new AuthenticationFailedException(error);
             }
diff --git a/sdk/identity/Azure.Identity/tests/AzurePipelinesCredentialTests.cs b/sdk/identity/Azure.Identity/tests/AzurePipelinesCredentialTests.cs
@@ -114,10 +114,11 @@ public void AzurePipelineCredentialReturnsErrorInformation()
                 var mockTransport = new MockTransport(req => new MockResponse(200).WithContent(
                             $"{{\"token_type\": \"Bearer\",\"expires_in\": 9999,\"ext_expires_in\": 9999,\"access_token\": \"mytoken\" }}"));
 
-                var options = new AzurePipelinesCredentialOptions { Transport = mockTransport };
+                var options = new AzurePipelinesCredentialOptions { Transport = mockTransport, OidcRequestUri = "https://mockCollectionUri" };
                 var cred = new AzurePipelinesCredential(tenantId, clientId, serviceConnectionId, systemAccessToken, options);
 
-                Assert.ThrowsAsync<AuthenticationFailedException>(async () => await cred.GetTokenAsync(new TokenRequestContext(new[] { "scope" }), CancellationToken.None));
+                var ex = Assert.ThrowsAsync<AuthenticationFailedException>(async () => await cred.GetTokenAsync(new TokenRequestContext(new[] { "scope" }), CancellationToken.None));
+                Assert.That(ex.Message, Does.Contain(AzurePipelinesCredential.Troubleshooting));
             }
         }
 
@@ -140,7 +141,10 @@ public void AzurePipelineCredentialReturnsNonJsonErrorInformation(int responseSt
                 {
                     if (req.Uri.Host == "mockcollectionuri")
                     {
-                        return new MockResponse(responseStatusCode).WithContent($"< not json, but an error >");
+                        return new MockResponse(responseStatusCode)
+                            .WithContent($"< not json, but an error >")
+                            .WithHeader("x-vss-e2eid", "myE2EId")
+                            .WithHeader("x-msedge-ref", "myRef");
                     }
                     return new MockResponse(200).WithContent(
                             $"{{\"token_type\": \"Bearer\",\"expires_in\": 9999,\"ext_expires_in\": 9999,\"access_token\": \"mytoken\" }}");
@@ -158,6 +162,9 @@ public void AzurePipelineCredentialReturnsNonJsonErrorInformation(int responseSt
                 else
                 {
                     Assert.That(ex.Message, Does.Contain("< not json, but an error >"));
+                    Assert.That(ex.Message, Does.Contain(AzurePipelinesCredential.Troubleshooting));
+                    Assert.That(ex.Message, Does.Contain("myE2EId"));
+                    Assert.That(ex.Message, Does.Contain("myRef"));
                 }
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -20,8 +20,7 @@ public PopTestClient(TokenCredential credential, ClientOptions options = null)`
`20`	`20`	`var pipelineOptions = new HttpPipelineOptions(options);`
`21`	`21`	`pipelineOptions.PerRetryPolicies.Add(new PopTokenAuthenticationPolicy(credential, "https://graph.microsoft.com/.default"));`
`22`	`22`	`_pipeline = HttpPipelineBuilder.Build(`
`23`		`- pipelineOptions,`
`24`		`- new HttpPipelineTransportOptions { ServerCertificateCustomValidationCallback = (_) => true });`
	`23`	`+ pipelineOptions);`
`25`	`24`	`}`
`26`	`25`
`27`	`26`	`[ForwardsClientCalls(true)]`
Original file line number	Diff line number	Diff line change
`@@ -16,7 +16,7 @@ namespace Azure.Identity`
`16`	`16`	`/// </summary>`
`17`	`17`	`public class AzurePipelinesCredential : TokenCredential`
`18`	`18`	`{`
`19`		`- private const string Troubleshooting = "See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/azurepipelinescredential/troubleshoot";`
	`19`	`+ internal const string Troubleshooting = "See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/azurepipelinescredential/troubleshoot";`
`20`	`20`	`internal readonly string[] AdditionallyAllowedTenantIds;`
`21`	`21`	`internal string SystemAccessToken { get; }`
`22`	`22`	`internal string TenantId { get; }`
`@@ -151,7 +151,10 @@ internal string GetOidcTokenResponse(HttpMessage message)`
`151`	`151`	`string error = $"OIDC token not found in response. " + Troubleshooting;`
`152`	`152`	`if (message.Response.Status != 200)`
`153`	`153`	`{`
`154`		`- error = error + $"\n\nResponse= {message.Response.Content}";`
	`154`	`+ var is_x_vss_e2eidValueFound = message.Response.Headers.TryGetValue("x-vss-e2eid", out var x_vss_e2eidValue);`
	`155`	`+ var is_x_msedge_refValueFound = message.Response.Headers.TryGetValue("x-msedge-ref", out var x_msedge_refValue);`
	`156`	`+`
	`157`	`+ error = error + $"\n\nResponse= {message.Response.Content}\n\nx-vss-e2eid= {(is_x_vss_e2eidValueFound ? x_vss_e2eidValue : "Not Found")}\n\nx-msedge-ref= {(is_x_msedge_refValueFound ? x_msedge_refValue : "Not Found")}";`
`155`	`158`	`}`
`156`	`159`	`throw new AuthenticationFailedException(error);`
`157`	`160`	`}`
Original file line number	Diff line number	Diff line change
`@@ -114,10 +114,11 @@ public void AzurePipelineCredentialReturnsErrorInformation()`
`114`	`114`	`var mockTransport = new MockTransport(req => new MockResponse(200).WithContent(`
`115`	`115`	`$"{{\"token_type\": \"Bearer\",\"expires_in\": 9999,\"ext_expires_in\": 9999,\"access_token\": \"mytoken\" }}"));`
`116`	`116`
`117`		`- var options = new AzurePipelinesCredentialOptions { Transport = mockTransport };`
	`117`	`+ var options = new AzurePipelinesCredentialOptions { Transport = mockTransport, OidcRequestUri = "https://mockCollectionUri" };`
`118`	`118`	`var cred = new AzurePipelinesCredential(tenantId, clientId, serviceConnectionId, systemAccessToken, options);`
`119`	`119`
`120`		`- Assert.ThrowsAsync<AuthenticationFailedException>(async () => await cred.GetTokenAsync(new TokenRequestContext(new[] { "scope" }), CancellationToken.None));`
	`120`	`+ var ex = Assert.ThrowsAsync<AuthenticationFailedException>(async () => await cred.GetTokenAsync(new TokenRequestContext(new[] { "scope" }), CancellationToken.None));`
	`121`	`+ Assert.That(ex.Message, Does.Contain(AzurePipelinesCredential.Troubleshooting));`
`121`	`122`	`}`
`122`	`123`	`}`
`123`	`124`
`@@ -140,7 +141,10 @@ public void AzurePipelineCredentialReturnsNonJsonErrorInformation(int responseSt`
`140`	`141`	`{`
`141`	`142`	`if (req.Uri.Host == "mockcollectionuri")`
`142`	`143`	`{`
`143`		`- return new MockResponse(responseStatusCode).WithContent($"< not json, but an error >");`
	`144`	`+ return new MockResponse(responseStatusCode)`
	`145`	`+ .WithContent($"< not json, but an error >")`
	`146`	`+ .WithHeader("x-vss-e2eid", "myE2EId")`
	`147`	`+ .WithHeader("x-msedge-ref", "myRef");`
`144`	`148`	`}`
`145`	`149`	`return new MockResponse(200).WithContent(`
`146`	`150`	`$"{{\"token_type\": \"Bearer\",\"expires_in\": 9999,\"ext_expires_in\": 9999,\"access_token\": \"mytoken\" }}");`
`@@ -158,6 +162,9 @@ public void AzurePipelineCredentialReturnsNonJsonErrorInformation(int responseSt`
`158`	`162`	`else`
`159`	`163`	`{`
`160`	`164`	`Assert.That(ex.Message, Does.Contain("< not json, but an error >"));`
	`165`	`+ Assert.That(ex.Message, Does.Contain(AzurePipelinesCredential.Troubleshooting));`
	`166`	`+ Assert.That(ex.Message, Does.Contain("myE2EId"));`
	`167`	`+ Assert.That(ex.Message, Does.Contain("myRef"));`
`161`	`168`	`}`
`162`	`169`	`}`
`163`	`170`	`}`