Add AzurePipelinesCredential (Azure#2306)

* Add AzurePipelinesCredential

Resolves Azure#2030

* Clean up declaration a little and add docs, example

* Fix README samples after refactoring

* Fix lint

* Fix clippy issues with wasm32

Author: heaths

.vscode/settings.json

@@ -2,10 +2,13 @@
   "azure-pipelines.1ESPipelineTemplatesSchemaFile": true,
   "cSpell.enabled": true,
   "editor.formatOnSave": true,
+  "markdownlint.config": {
+    "MD024": false
+  },
   "rust-analyzer.cargo.features": "all",
   "rust-analyzer.check.command": "clippy",
   "yaml.format.printWidth": 240,
   "[powershell]": {
     "editor.defaultFormatter": "ms-vscode.powershell",
   },
-}
+}

Cargo.lock

@@ -53,6 +53,7 @@ zip.workspace = true
 # Crate used in README.md example.
 azure_security_keyvault_secrets = { path = "../../keyvault/azure_security_keyvault_secrets" }
 clap.workspace = true
+tokio = { workspace = true, features = ["macros", "rt"] }
 tracing-subscriber = { workspace = true, features = ["env-filter", "fmt"] }
 uuid.workspace = true
 

sdk/core/azure_core_test/Cargo.toml

@@ -0,0 +1,70 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+//! Credentials for live and recorded tests.
+use azure_core::{
+    credentials::{AccessToken, Secret, TokenCredential},
+    date::OffsetDateTime,
+    error::ErrorKind,
+};
+use azure_identity::{AzurePipelinesCredential, DefaultAzureCredential, TokenCredentialOptions};
+use std::{env, sync::Arc, time::Duration};
+
+/// A mock [`TokenCredential`] useful for testing.
+#[derive(Clone, Debug, Default)]
+pub struct MockCredential;
+
+#[cfg_attr(target_arch = "wasm32", async_trait::async_trait(?Send))]
+#[cfg_attr(not(target_arch = "wasm32"), async_trait::async_trait)]
+impl TokenCredential for MockCredential {
+    async fn get_token(&self, scopes: &[&str]) -> azure_core::Result<AccessToken> {
+        let token: Secret = format!("TEST TOKEN {}", scopes.join(" ")).into();
+        let expires_on = OffsetDateTime::now_utc().saturating_add(
+            Duration::from_secs(60 * 5).try_into().map_err(|err| {
+                azure_core::Error::full(ErrorKind::Other, err, "failed to compute expiration")
+            })?,
+        );
+        Ok(AccessToken { token, expires_on })
+    }
+
+    async fn clear_cache(&self) -> azure_core::Result<()> {
+        Ok(())
+    }
+}
+
+/// Gets a `TokenCredential` appropriate for the current environment.
+///
+/// When running in Azure Pipelines, this will return an [`AzurePipelinesCredential`];
+/// otherwise, it will return a [`DefaultAzureCredential`].
+pub fn from_env(
+    options: Option<TokenCredentialOptions>,
+) -> azure_core::Result<Arc<dyn TokenCredential>> {
+    // cspell:ignore accesstoken azuresubscription
+    let tenant_id = env::var("AZURESUBSCRIPTION_TENANT_ID").ok();
+    let client_id = env::var("AZURESUBSCRIPTION_CLIENT_ID").ok();
+    let connection_id = env::var("AZURESUBSCRIPTION_SERVICE_CONNECTION_ID").ok();
+    let access_token = env::var("SYSTEM_ACCESSTOKEN").ok();
+
+    if let (Some(tenant_id), Some(client_id), Some(connection_id), Some(access_token)) =
+        (tenant_id, client_id, connection_id, access_token)
+    {
+        if !tenant_id.is_empty()
+            && !client_id.is_empty()
+            && !connection_id.is_empty()
+            && !access_token.is_empty()
+        {
+            return Ok(AzurePipelinesCredential::new(
+                tenant_id,
+                client_id,
+                &connection_id,
+                access_token,
+                options.map(Into::into),
+            )? as Arc<dyn TokenCredential>);
+        }
+    }
+
+    Ok(
+        DefaultAzureCredential::with_options(options.unwrap_or_default())?
+            as Arc<dyn TokenCredential>,
+    )
+}

sdk/core/azure_core_test/src/credential.rs

@@ -0,0 +1,124 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+use async_trait::async_trait;
+use azure_core::{HttpClient, Request, Response, Result};
+use futures::{future::BoxFuture, lock::Mutex};
+use std::fmt;
+
+/// An [`HttpClient`] from which you can assert [`Request`]s and return mock [`Response`]s.
+///
+/// # Examples
+///
+/// ```
+/// use azure_core::{
+///     Bytes, ClientOptions,
+///     headers::Headers,
+///     Response, StatusCode, TransportOptions,
+/// };
+/// use azure_core_test::http::MockHttpClient;
+/// use azure_identity::DefaultAzureCredential;
+/// use azure_security_keyvault_secrets::{SecretClient, SecretClientOptions};
+/// use futures::FutureExt as _;
+/// use std::sync::Arc;
+///
+/// # #[tokio::main]
+/// # async fn main() -> Result<(), Box<dyn std::error::Error>> {
+/// let mock_client = Arc::new(MockHttpClient::new(|req| async {
+///     assert_eq!(req.url().host_str(), Some("my-vault.vault.azure.net"));
+///     Ok(Response::from_bytes(
+///         StatusCode::Ok,
+///         Headers::new(),
+///         Bytes::from_static(br#"{"value":"secret"}"#),
+///     ))
+/// }.boxed()));
+/// let credential = DefaultAzureCredential::new()?;
+/// let options = SecretClientOptions {
+///     client_options: ClientOptions {
+///         transport: Some(TransportOptions::new(mock_client.clone())),
+///         ..Default::default()
+///     },
+///     ..Default::default()
+/// };
+/// let client = SecretClient::new(
+///     "https://my-vault.vault.azure.net",
+///     credential.clone(),
+///     Some(options),
+/// );
+/// # Ok(())
+/// # }
+/// ```
+pub struct MockHttpClient<C>(Mutex<C>);
+
+impl<C> MockHttpClient<C>
+where
+    C: FnMut(&Request) -> BoxFuture<'_, Result<Response>> + Send + Sync,
+{
+    /// Creates a new `MockHttpClient` using a capture.
+    ///
+    /// The capture takes a `&Request` and returns a `BoxedFuture<Output = azure_core::Result<Response>>`.
+    /// See the example on [`MockHttpClient`].
+    pub fn new(client: C) -> Self {
+        Self(Mutex::new(client))
+    }
+}
+
+impl<C> fmt::Debug for MockHttpClient<C> {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        f.write_str(stringify!("MockHttpClient"))
+    }
+}
+
+#[cfg_attr(target_arch = "wasm32", async_trait(?Send))]
+#[cfg_attr(not(target_arch = "wasm32"), async_trait)]
+impl<C> HttpClient for MockHttpClient<C>
+where
+    C: FnMut(&Request) -> BoxFuture<'_, Result<Response>> + Send + Sync,
+{
+    async fn execute_request(&self, req: &Request) -> Result<Response> {
+        let mut client = self.0.lock().await;
+        (client)(req).await
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use futures::FutureExt as _;
+
+    #[tokio::test]
+    async fn mock_http_client() {
+        use azure_core::{
+            headers::{HeaderName, Headers},
+            Method, StatusCode,
+        };
+        use std::sync::{Arc, Mutex};
+
+        const COUNT_HEADER: HeaderName = HeaderName::from_static("x-count");
+
+        let count = Arc::new(Mutex::new(0));
+        let mock_client = Arc::new(MockHttpClient::new(|req| {
+            let count = count.clone();
+            async move {
+                assert_eq!(req.url().host_str(), Some("localhost"));
+
+                if req.headers().get_optional_str(&COUNT_HEADER).is_some() {
+                    let mut count = count.lock().unwrap();
+                    *count += 1;
+                }
+
+                Ok(Response::from_bytes(StatusCode::Ok, Headers::new(), vec![]))
+            }
+            .boxed()
+        })) as Arc<dyn HttpClient>;
+
+        let req = Request::new("https://localhost".parse().unwrap(), Method::Get);
+        mock_client.execute_request(&req).await.unwrap();
+
+        let mut req = Request::new("https://localhost".parse().unwrap(), Method::Get);
+        req.insert_header(COUNT_HEADER, "true");
+        mock_client.execute_request(&req).await.unwrap();
+
+        assert_eq!(*count.lock().unwrap(), 1);
+    }
+}

sdk/core/azure_core_test/src/credentials.rs

@@ -0,0 +1,7 @@
+// Copyright (c) Microsoft Corporation. All rights reserved.
+// Licensed under the MIT License.
+
+//! HTTP testing utilities.
+mod clients;
+
+pub use clients::*;

sdk/core/azure_core_test/src/http/clients.rs

@@ -3,14 +3,14 @@
 
 #![doc = include_str!("../README.md")]
 
-mod credential;
+pub mod credentials;
+pub mod http;
 pub mod proxy;
 pub mod recorded;
 mod recording;
 
 use azure_core::Error;
 pub use azure_core::{error::ErrorKind, test::TestMode};
-pub use credential::*;
 pub use proxy::{matchers::*, sanitizers::*};
 pub use recording::*;
 use std::path::{Path, PathBuf};

sdk/core/azure_core_test/src/http/mod.rs

@@ -5,6 +5,7 @@
 
 // cspell:ignore csprng seedable tpbwhbkhckmk
 use crate::{
+    credentials::{self, MockCredential},
     proxy::{
         client::{
             Client, ClientAddSanitizerOptions, ClientRemoveSanitizersOptions,
@@ -14,7 +15,7 @@ use crate::{
         policy::RecordingPolicy,
         Proxy, RecordingId,
     },
-    Matcher, MockCredential, Sanitizer,
+    Matcher, Sanitizer,
 };
 use azure_core::{
     base64,
@@ -24,7 +25,6 @@ use azure_core::{
     test::TestMode,
     ClientOptions, Header,
 };
-use azure_identity::DefaultAzureCredential;
 use rand::{
     distributions::{Alphanumeric, DistString, Distribution, Standard},
     Rng, SeedableRng,
@@ -83,7 +83,7 @@ impl Recording {
     pub fn credential(&self) -> Arc<dyn TokenCredential> {
         match self.test_mode {
             TestMode::Playback => Arc::new(MockCredential) as Arc<dyn TokenCredential>,
-            _ => DefaultAzureCredential::new().map_or_else(
+            _ => credentials::from_env(None).map_or_else(
                 |err| panic!("failed to create DefaultAzureCredential: {err}"),
                 |cred| cred as Arc<dyn TokenCredential>,
             ),

sdk/core/azure_core_test/src/lib.rs

@@ -1,5 +1,20 @@
 # Release History
 
+## 0.32.0 (Unreleased)
+
+### Features Added
+
+- Added `AzurePipelinesCredential`.
+
+### Breaking Changes
+
+- `ClientAssertionCredential` constructors moved some parameters to an `Option<ClientAssertionCredentialOptions>` parameter.
+- `WorkloadIdentityCredential` constructors moved some parameters to an `Option<ClientAssertionCredentialOptions>` parameter.
+
+### Bugs Fixed
+
+### Other Changes
+
 ## 0.22.0 (2025-02-18)
 
 ### Features Added