fix security issue

Pavan-Microsoft · Pavan-Microsoft · commit bb500de04db8 · 2025-08-22T11:00:19.000+05:30
diff --git a/docs/workshop/docs/workshop/Challenge-5/python/content_understanding_client.py b/docs/workshop/docs/workshop/Challenge-5/python/content_understanding_client.py
@@ -32,13 +32,13 @@ def __init__(
         )
 
     def _get_analyzer_url(self, endpoint, api_version, analyzer_id):
-        return f"{endpoint}/contentunderstanding/analyzers/{analyzer_id}?api-version={api_version}"  # noqa
+        return f"{endpoint}/contentunderstanding/analyzers/{analyzer_id}?api-version={api_version}"
 
     def _get_analyzer_list_url(self, endpoint, api_version):
         return f"{endpoint}/contentunderstanding/analyzers?api-version={api_version}"
 
     def _get_analyze_url(self, endpoint, api_version, analyzer_id):
-        return f"{endpoint}/contentunderstanding/analyzers/{analyzer_id}:analyze?api-version={api_version}"  # noqa
+        return f"{endpoint}/contentunderstanding/analyzers/{analyzer_id}:analyze?api-version={api_version}"
 
     def _get_training_data_config(
         self, storage_container_sas_url, storage_container_path_prefix
@@ -143,7 +143,7 @@ def begin_create_analyzer(
         if (
             training_storage_container_sas_url
             and training_storage_container_path_prefix
-        ):  # noqa
+        ):
             analyzer_template["trainingData"] = self._get_training_data_config(
                 training_storage_container_sas_url,
                 training_storage_container_path_prefix,
diff --git a/infra/scripts/index_scripts/azure_credential_utils.py b/infra/scripts/index_scripts/azure_credential_utils.py
@@ -1,4 +1,4 @@
-from azure.identity import ManagedIdentityCredential, DefaultAzureCredential
+from azure.identity import ManagedIdentityCredential, AzureCliCredential
 
 APP_ENV = 'prod'  # Change to 'dev' for local development
 
@@ -13,10 +13,10 @@ def get_azure_credential(client_id=None):
         client_id (str, optional): The client ID for the managed identity. Defaults to None.
 
     Returns:
-        azure.identity.DefaultAzureCredential or azure.identity.ManagedIdentityCredential: 
+        azure.identity.AzureCliCredential or azure.identity.ManagedIdentityCredential: 
         The Azure credential object.
     """
     if APP_ENV == 'dev':
-        return DefaultAzureCredential() # CodeQL [SM05139] Okay use of DefaultAzureCredential as it is only used in development
+        return AzureCliCredential()
     else:
         return ManagedIdentityCredential(client_id=client_id)
diff --git a/infra/scripts/index_scripts/content_understanding_client.py b/infra/scripts/index_scripts/content_understanding_client.py
@@ -32,13 +32,13 @@ def __init__(
         )
 
     def _get_analyzer_url(self, endpoint, api_version, analyzer_id):
-        return f"{endpoint}/contentunderstanding/analyzers/{analyzer_id}?api-version={api_version}"  # noqa
+        return f"{endpoint}/contentunderstanding/analyzers/{analyzer_id}?api-version={api_version}"
 
     def _get_analyzer_list_url(self, endpoint, api_version):
         return f"{endpoint}/contentunderstanding/analyzers?api-version={api_version}"
 
     def _get_analyze_url(self, endpoint, api_version, analyzer_id):
-        return f"{endpoint}/contentunderstanding/analyzers/{analyzer_id}:analyze?api-version={api_version}"  # noqa
+        return f"{endpoint}/contentunderstanding/analyzers/{analyzer_id}:analyze?api-version={api_version}"
 
     def _get_training_data_config(
         self, storage_container_sas_url, storage_container_path_prefix
@@ -143,7 +143,7 @@ def begin_create_analyzer(
         if (
             training_storage_container_sas_url
             and training_storage_container_path_prefix
-        ):  # noqa
+        ):
             analyzer_template["trainingData"] = self._get_training_data_config(
                 training_storage_container_sas_url,
                 training_storage_container_path_prefix,
diff --git a/src/api/helpers/azure_credential_utils.py b/src/api/helpers/azure_credential_utils.py
@@ -1,23 +1,23 @@
 import os
-from azure.identity import ManagedIdentityCredential, DefaultAzureCredential
-from azure.identity.aio import ManagedIdentityCredential as AioManagedIdentityCredential, DefaultAzureCredential as AioDefaultAzureCredential
+from azure.identity import ManagedIdentityCredential, AzureCliCredential
+from azure.identity.aio import ManagedIdentityCredential as AioManagedIdentityCredential, AzureCliCredential as AioAzureCliCredential
 
 
 async def get_azure_credential_async(client_id=None):
     """
     Returns an Azure credential asynchronously based on the application environment.
 
-    If the environment is 'dev', it uses AioDefaultAzureCredential.
+    If the environment is 'dev', it uses AioAzureCliCredential.
     Otherwise, it uses AioManagedIdentityCredential.
 
     Args:
         client_id (str, optional): The client ID for the Managed Identity Credential.
 
     Returns:
-        Credential object: Either AioDefaultAzureCredential or AioManagedIdentityCredential.
+        Credential object: Either AioAzureCliCredential or AioManagedIdentityCredential.
     """
     if os.getenv("APP_ENV", "prod").lower() == 'dev':
-        return AioDefaultAzureCredential()  # CodeQL [SM05139] Okay use of DefaultAzureCredential as it is only used in development
+        return AioAzureCliCredential()
     else:
         return AioManagedIdentityCredential(client_id=client_id)
 
@@ -26,16 +26,16 @@ def get_azure_credential(client_id=None):
     """
     Returns an Azure credential based on the application environment.
 
-    If the environment is 'dev', it uses DefaultAzureCredential.
+    If the environment is 'dev', it uses AzureCliCredential.
     Otherwise, it uses ManagedIdentityCredential.
 
     Args:
         client_id (str, optional): The client ID for the Managed Identity Credential.
 
     Returns:
-        Credential object: Either DefaultAzureCredential or ManagedIdentityCredential.
+        Credential object: Either AzureCliCredential or ManagedIdentityCredential.
     """
     if os.getenv("APP_ENV", "prod").lower() == 'dev':
-        return DefaultAzureCredential()  # CodeQL [SM05139] Okay use of DefaultAzureCredential as it is only used in development
+        return AzureCliCredential()
     else:
         return ManagedIdentityCredential(client_id=client_id)
diff --git a/src/tests/api/helpers/test_azure_credential_utils.py b/src/tests/api/helpers/test_azure_credential_utils.py
@@ -15,27 +15,27 @@ def mock_env_vars():
 
 class TestAzureCredentialUtils:
     @patch.dict(os.environ, {}, clear=True)
-    @patch("helpers.azure_credential_utils.DefaultAzureCredential")
+    @patch("helpers.azure_credential_utils.AzureCliCredential")
     @patch("helpers.azure_credential_utils.ManagedIdentityCredential")
-    def test_get_azure_credential_dev_env(self, mock_managed_identity_credential, mock_default_azure_credential, mock_env_vars):
+    def test_get_azure_credential_dev_env(self, mock_managed_identity_credential, mock_azure_cli_credential, mock_env_vars):
         """Test get_azure_credential in dev environment."""
         # Arrange
         os.environ.update(mock_env_vars)
-        mock_default_credential = MagicMock()
-        mock_default_azure_credential.return_value = mock_default_credential
+        mock_azure_cli_credential = MagicMock()
+        mock_azure_cli_credential.return_value = mock_azure_cli_credential
 
         # Act
         credential = azure_credential_utils.get_azure_credential()
 
         # Assert
-        mock_default_azure_credential.assert_called_once()
+        mock_azure_cli_credential.assert_called_once()
         mock_managed_identity_credential.assert_not_called()
-        assert credential == mock_default_credential
+        assert credential == mock_azure_cli_credential
 
     @patch.dict(os.environ, {}, clear=True)
-    @patch("helpers.azure_credential_utils.DefaultAzureCredential")
+    @patch("helpers.azure_credential_utils.AzureCliCredential")
     @patch("helpers.azure_credential_utils.ManagedIdentityCredential")
-    def test_get_azure_credential_non_dev_env(self, mock_managed_identity_credential, mock_default_azure_credential, mock_env_vars):
+    def test_get_azure_credential_non_dev_env(self, mock_managed_identity_credential, mock_azure_cli_credential, mock_env_vars):
         """Test get_azure_credential in non-dev environment."""
         # Arrange
         mock_env_vars["APP_ENV"] = "prod"
@@ -48,33 +48,33 @@ def test_get_azure_credential_non_dev_env(self, mock_managed_identity_credential
 
         # Assert
         mock_managed_identity_credential.assert_called_once_with(client_id="test-client-id")
-        mock_default_azure_credential.assert_not_called()
+        mock_azure_cli_credential.assert_not_called()
         assert credential == mock_managed_credential
 
     @pytest.mark.asyncio
     @patch.dict(os.environ, {}, clear=True)
-    @patch("helpers.azure_credential_utils.AioDefaultAzureCredential")
+    @patch("helpers.azure_credential_utils.AioAzureCliCredential")
     @patch("helpers.azure_credential_utils.AioManagedIdentityCredential")
-    async def test_get_azure_credential_async_dev_env(self, mock_aio_managed_identity_credential, mock_aio_default_azure_credential, mock_env_vars):
+    async def test_get_azure_credential_async_dev_env(self, mock_aio_managed_identity_credential, mock_aio_azure_cli_credential, mock_env_vars):
         """Test get_azure_credential_async in dev environment."""
         # Arrange
         os.environ.update(mock_env_vars)
-        mock_aio_default_credential = MagicMock()
-        mock_aio_default_azure_credential.return_value = mock_aio_default_credential
+        mock_aio_azure_cli_credential = MagicMock()
+        mock_aio_azure_cli_credential.return_value = mock_aio_azure_cli_credential
 
         # Act
         credential = await azure_credential_utils.get_azure_credential_async()
 
         # Assert
-        mock_aio_default_azure_credential.assert_called_once()
+        mock_aio_azure_cli_credential.assert_called_once()
         mock_aio_managed_identity_credential.assert_not_called()
-        assert credential == mock_aio_default_credential
+        assert credential == mock_aio_azure_cli_credential
 
     @pytest.mark.asyncio
     @patch.dict(os.environ, {}, clear=True)
-    @patch("helpers.azure_credential_utils.AioDefaultAzureCredential")
+    @patch("helpers.azure_credential_utils.AioAzureCliCredential")
     @patch("helpers.azure_credential_utils.AioManagedIdentityCredential")
-    async def test_get_azure_credential_async_non_dev_env(self, mock_aio_managed_identity_credential, mock_aio_default_azure_credential, mock_env_vars):
+    async def test_get_azure_credential_async_non_dev_env(self, mock_aio_managed_identity_credential, mock_aio_azure_cli_credential, mock_env_vars):
         """Test get_azure_credential_async in non-dev environment."""
         # Arrange
         mock_env_vars["APP_ENV"] = "prod"
@@ -87,5 +87,5 @@ async def test_get_azure_credential_async_non_dev_env(self, mock_aio_managed_ide
 
         # Assert
         mock_aio_managed_identity_credential.assert_called_once_with(client_id="test-client-id")
-        mock_aio_default_azure_credential.assert_not_called()
+        mock_aio_azure_cli_credential.assert_not_called()
         assert credential == mock_aio_managed_credential
