MI Live Tests (Azure#37075)

* adding mi test coverage and fixing headers to be sent the same for any authentication method

* credential async

* fixed live tests

* turn on federated auth

* added service connection

* fixed live tests

* added rbac permissions

* added more mi test coverage with query

* fix live tests:

* fixing live tests by removing forbidden check because accounts have roles to do this operations

* remove unnecessary imports

* removed internal roles so that customers can run tests

* removed internal roles so that customers can run tests

* use built in role definition instead of custom role definition id

* remove unused import

* reacting to feedback

Author: tvaron3

sdk/cosmos/azure-cosmos/azure/cosmos/_base.py

@@ -248,9 +248,8 @@ def GetHeaders(  # pylint: disable=too-many-statements,too-many-branches
     if options.get("priorityLevel"):
         headers[http_constants.HttpHeaders.PriorityLevel] = options["priorityLevel"]
 
-    if cosmos_client_connection.master_key:
-        # formatdate guarantees RFC 1123 date format regardless of current locale
-        headers[http_constants.HttpHeaders.XDate] = formatdate(timeval=None, localtime=False, usegmt=True)
+    # formatdate guarantees RFC 1123 date format regardless of current locale
+    headers[http_constants.HttpHeaders.XDate] = formatdate(timeval=None, localtime=False, usegmt=True)
 
     if cosmos_client_connection.master_key or cosmos_client_connection.resource_tokens:
         resource_type = _internal_resourcetype(resource_type)

sdk/cosmos/azure-cosmos/test/test_aad.py

@@ -12,7 +12,7 @@
 
 import azure.cosmos.cosmos_client as cosmos_client
 import test_config
-from azure.cosmos import exceptions, DatabaseProxy, ContainerProxy
+from azure.cosmos import DatabaseProxy, ContainerProxy, exceptions
 
 
 def _remove_padding(encoded_string):
@@ -93,21 +93,15 @@ class TestAAD(unittest.TestCase):
     configs = test_config.TestConfig
     host = configs.host
     masterKey = configs.masterKey
+    credential = CosmosEmulatorCredential() if configs.is_emulator else configs.credential
 
     @classmethod
     def setUpClass(cls):
-        cls.client = cosmos_client.CosmosClient(cls.host, cls.masterKey)
+        cls.client = cosmos_client.CosmosClient(cls.host, cls.credential)
         cls.database = cls.client.get_database_client(cls.configs.TEST_DATABASE_ID)
         cls.container = cls.database.get_container_client(cls.configs.TEST_SINGLE_PARTITION_CONTAINER_ID)
 
-    def test_emulator_aad_credentials(self):
-        if self.host != 'https://localhost:8081/':
-            print("This test is only configured to run on the emulator, skipping now.")
-            return
-
-        aad_client = cosmos_client.CosmosClient(self.host, CosmosEmulatorCredential())
-        # Do any R/W data operations with your authorized AAD client
-
+    def test_aad_credentials(self):
         print("Container info: " + str(self.container.read()))
         self.container.create_item(get_test_item(0))
         print("Point read result: " + str(self.container.read_item(item='Item_0', partition_key='pk')))
@@ -118,7 +112,7 @@ def test_emulator_aad_credentials(self):
 
         # Attempting to do management operations will return a 403 Forbidden exception
         try:
-            aad_client.delete_database(self.configs.TEST_DATABASE_ID)
+            self.client.delete_database(self.configs.TEST_DATABASE_ID)
         except exceptions.CosmosHttpResponseError as e:
             assert e.status_code == 403
             print("403 error assertion success")

sdk/cosmos/azure-cosmos/test/test_aad_async.py

@@ -0,0 +1,124 @@
+# The MIT License (MIT)
+# Copyright (c) Microsoft Corporation. All rights reserved.
+
+import base64
+import json
+import time
+import unittest
+from io import StringIO
+
+import pytest
+from azure.core.credentials import AccessToken
+
+import test_config
+from azure.cosmos import exceptions
+from azure.cosmos.aio import CosmosClient, DatabaseProxy, ContainerProxy
+
+
+def _remove_padding(encoded_string):
+    while encoded_string.endswith("="):
+        encoded_string = encoded_string[0:len(encoded_string) - 1]
+
+    return encoded_string
+
+
+def get_test_item(num):
+    test_item = {
+        'pk': 'pk',
+        'id': 'Item_' + str(num),
+        'test_object': True,
+        'lastName': 'Smith'
+    }
+    return test_item
+
+
+class CosmosEmulatorCredential(object):
+
+    async def get_token(self, *scopes, **kwargs):
+        # type: (*str, **Any) -> AccessToken
+        """Request an access token for the emulator. Based on Azure Core's Access Token Credential.
+
+        This method is called automatically by Azure SDK clients.
+
+        :param str scopes: desired scopes for the access token. This method requires at least one scope.
+        :rtype: :class:`azure.core.credentials.AccessToken`
+        :raises CredentialUnavailableError: the credential is unable to attempt authentication because it lacks
+          required data, state, or platform support
+        :raises ~azure.core.exceptions.ClientAuthenticationError: authentication failed. The error's ``message``
+          attribute gives a reason.
+        """
+        aad_header_cosmos_emulator = "{\"typ\":\"JWT\",\"alg\":\"RS256\",\"x5t\":\"" \
+                                     "CosmosEmulatorPrimaryMaster\",\"kid\":\"CosmosEmulatorPrimaryMaster\"}"
+
+        aad_claim_cosmos_emulator_format = {"aud": "https://localhost.localhost",
+                                            "iss": "https://sts.fake-issuer.net/7b1999a1-dfd7-440e-8204-00170979b984",
+                                            "iat": int(time.time()), "nbf": int(time.time()),
+                                            "exp": int(time.time() + 7200), "aio": "", "appid": "localhost",
+                                            "appidacr": "1", "idp": "https://localhost:8081/",
+                                            "oid": "96313034-4739-43cb-93cd-74193adbe5b6", "rh": "", "sub": "localhost",
+                                            "tid": "EmulatorFederation", "uti": "", "ver": "1.0",
+                                            "scp": "user_impersonation",
+                                            "groups": ["7ce1d003-4cb3-4879-b7c5-74062a35c66e",
+                                                       "e99ff30c-c229-4c67-ab29-30a6aebc3e58",
+                                                       "5549bb62-c77b-4305-bda9-9ec66b85d9e4",
+                                                       "c44fd685-5c58-452c-aaf7-13ce75184f65",
+                                                       "be895215-eab5-43b7-9536-9ef8fe130330"]}
+
+        emulator_key = test_config.TestConfig.masterKey
+
+        first_encoded_bytes = base64.urlsafe_b64encode(aad_header_cosmos_emulator.encode("utf-8"))
+        first_encoded_padded = str(first_encoded_bytes, "utf-8")
+        first_encoded = _remove_padding(first_encoded_padded)
+
+        str_io_obj = StringIO()
+        json.dump(aad_claim_cosmos_emulator_format, str_io_obj)
+        aad_claim_cosmos_emulator_format_string = str(str_io_obj.getvalue()).replace(" ", "")
+        second = aad_claim_cosmos_emulator_format_string
+        second_encoded_bytes = base64.urlsafe_b64encode(second.encode("utf-8"))
+        second_encoded_padded = str(second_encoded_bytes, "utf-8")
+        second_encoded = _remove_padding(second_encoded_padded)
+
+        emulator_key_encoded_bytes = base64.urlsafe_b64encode(emulator_key.encode("utf-8"))
+        emulator_key_encoded_padded = str(emulator_key_encoded_bytes, "utf-8")
+        emulator_key_encoded = _remove_padding(emulator_key_encoded_padded)
+
+        return AccessToken(first_encoded + "." + second_encoded + "." + emulator_key_encoded, int(time.time() + 7200))
+
+
+@pytest.mark.cosmosEmulator
+class TestAADAsync(unittest.TestCase):
+    client: CosmosClient = None
+    database: DatabaseProxy = None
+    container: ContainerProxy = None
+    configs = test_config.TestConfig
+    host = configs.host
+    masterKey = configs.masterKey
+    credential = CosmosEmulatorCredential() if configs.is_emulator else configs.credential_async
+
+    @classmethod
+    async def setUpClass(cls):
+        cls.client = CosmosClient(cls.host, cls.credential)
+        cls.database = cls.client.get_database_client(cls.configs.TEST_DATABASE_ID)
+        cls.container = cls.database.get_container_client(cls.configs.TEST_SINGLE_PARTITION_CONTAINER_ID)
+
+    async def test_aad_credentials_async(self):
+        # Do any R/W data operations with your authorized AAD client
+
+        print("Container info: " + str(self.container.read()))
+        await self.container.create_item(get_test_item(0))
+        print("Point read result: " + str(await self.container.read_item(item='Item_0', partition_key='pk')))
+        query_results = list(await self.container.query_items(query='select * from c', partition_key='pk'))
+        assert len(query_results) == 1
+        print("Query result: " + str(query_results[0]))
+        await self.container.delete_item(item='Item_0', partition_key='pk')
+
+        # Attempting to do management operations will return a 403 Forbidden exception
+        try:
+            await self.client.delete_database(self.configs.TEST_DATABASE_ID)
+        except exceptions.CosmosHttpResponseError as e:
+            assert e.status_code == 403
+            print("403 error assertion success")
+
+
+if __name__ == "__main__":
+    unittest.main()

sdk/cosmos/azure-cosmos/test/test_config.py

@@ -12,6 +12,8 @@
 from azure.cosmos.cosmos_client import CosmosClient
 from azure.cosmos.http_constants import StatusCodes
 from azure.cosmos.partition_key import PartitionKey
+from devtools_testutils.azure_recorded_testcase import get_credential
+from devtools_testutils.helpers import is_live
 
 try:
     import urllib3
@@ -22,14 +24,19 @@
 
 
 class TestConfig(object):
+    local_host = 'https://localhost:8081/'
     # [SuppressMessage("Microsoft.Security", "CS002:SecretInNextLine", Justification="Cosmos DB Emulator Key")]
     masterKey = os.getenv('ACCOUNT_KEY',
                           'C2y6yDjf5/R+ob0N8A7Cgv30VRDJIWEHLM+4QDU5DE2nQ9nDuVTqobD4b8mGGyPMbIZnqyMsEcaGQy67XIw/Jw==')
-    host = os.getenv('ACCOUNT_HOST', 'https://localhost:8081/')
+    host = os.getenv('ACCOUNT_HOST', local_host)
     connection_str = os.getenv('ACCOUNT_CONNECTION_STR', 'AccountEndpoint={};AccountKey={};'.format(host, masterKey))
 
     connectionPolicy = documents.ConnectionPolicy()
     connectionPolicy.DisableSSLVerification = True
+    is_emulator = host == local_host
+    is_live._cache = True if not is_emulator else False
+    credential =  masterKey if is_emulator else get_credential()
+    credential_async = masterKey if is_emulator else get_credential(is_async=True)
 
     global_host = os.getenv('GLOBAL_ACCOUNT_HOST', host)
     write_location_host = os.getenv('WRITE_LOCATION_HOST', host)

sdk/cosmos/azure-cosmos/test/test_query.py

@@ -27,20 +27,14 @@ class TestQuery(unittest.TestCase):
     client: cosmos_client.CosmosClient = None
     config = test_config.TestConfig
     host = config.host
-    masterKey = config.masterKey
     connectionPolicy = config.connectionPolicy
     TEST_DATABASE_ID = config.TEST_DATABASE_ID
+    is_emulator = config.is_emulator
+    credential = config.credential
 
     @classmethod
     def setUpClass(cls):
-        if (cls.masterKey == '[YOUR_KEY_HERE]' or
-                cls.host == '[YOUR_ENDPOINT_HERE]'):
-            raise Exception(
-                "You must specify your Azure Cosmos account values for "
-                "'masterKey' and 'host' at the top of this class to run the "
-                "tests.")
-
-        cls.client = cosmos_client.CosmosClient(cls.host, cls.masterKey)
+        cls.client = cosmos_client.CosmosClient(cls.host, cls.credential)
         cls.created_db = cls.client.get_database_client(cls.TEST_DATABASE_ID)
         if cls.host == "https://localhost:8081/":
             os.environ["AZURE_COSMOS_DISABLE_NON_STREAMING_ORDER_BY"] = "True"

sdk/cosmos/test-resources.bicep

@@ -13,7 +13,10 @@ param enableMultipleRegions bool = false
 param location string = resourceGroup().location
 
 @description('The api version to be used by Bicep to create resources')
-param apiVersion string = '2020-04-01'
+param apiVersion string = '2023-04-15'
+
+@description('The principal to assign the role to. This is application object id.')
+param testApplicationOid string
 
 var accountName = toLower(baseName)
 var resourceId = cosmosAccount.id
@@ -40,8 +43,11 @@ var multiRegionConfiguration = [
   }
 ]
 var locationsConfiguration = (enableMultipleRegions ? multiRegionConfiguration : singleRegionConfiguration)
+var roleDefinitionId = guid(baseName, 'roleDefinitionId')
+var roleAssignmentId = guid(baseName, 'roleAssignmentId') 
+var roleDefinitionName = 'ExpandedRbacActions'
 
-resource cosmosAccount 'Microsoft.DocumentDB/databaseAccounts@2020-04-01' = {
+resource cosmosAccount 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' = {
   name: toLower(accountName)
   location: location
   kind: 'GlobalDocumentDB'
@@ -64,6 +70,37 @@ resource cosmosAccount 'Microsoft.DocumentDB/databaseAccounts@2020-04-01' = {
   }
 }
 
+resource accountName_roleDefinitionId 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2023-04-15' = {
+  parent: cosmosAccount 
+  name: roleDefinitionId
+  properties: {
+    roleName: roleDefinitionName
+    type: 'CustomRole'
+    assignableScopes: [
+      cosmosAccount.id 
+    ]
+    permissions: [
+      {
+        dataActions: [
+          'Microsoft.DocumentDB/databaseAccounts/readMetadata'
+          'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*'
+          'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*'
+        ]
+      }
+    ]
+  }
+}
+
+resource accountName_roleAssignmentId 'Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments@2023-04-15' = {
+  parent: cosmosAccount 
+  name: guid(resourceGroup().id, roleAssignmentId, testApplicationOid) 
+  properties: {
+    roleDefinitionId: accountName_roleDefinitionId.id
+    principalId: testApplicationOid 
+    scope: cosmosAccount.id
+  }
+}
+
 
 output ACCOUNT_HOST string = reference(resourceId, apiVersion).documentEndpoint
 output ACCOUNT_KEY string = listKeys(resourceId, apiVersion).primaryMasterKey

sdk/cosmos/tests.yml

@@ -3,13 +3,13 @@ trigger: none
 extends:
     template: ../../eng/pipelines/templates/stages/archetype-sdk-tests.yml
     parameters:
-      UseFederatedAuth: false
       Clouds: 'Cosmos_Public'
       CloudConfig:
         Cosmos_Public:
           SubscriptionConfigurations:
             - $(sub-config-azure-cloud-test-resources)
             - $(sub-config-cosmos-azure-cloud-test-resources)
+          ServiceConnection: azure-sdk-tests    
       MaxParallel: 6
       BuildTargetingString: azure-cosmos
       ServiceDirectory: cosmos