Added FIC auth support (#1539)

suyadav1 · web-flow · commit 089b059607f1 · 2025-10-08T23:36:40.000Z
diff --git a/test/e2e/src/common/arm_rest_utility.py b/test/e2e/src/common/arm_rest_utility.py
@@ -1,25 +1,56 @@
-import adal
 import pytest
+import os
+import json
+import requests
+from azure.identity import ClientAssertionCredential, ClientSecretCredential, ManagedIdentityCredential, CertificateCredential
 
-from msrestazure.azure_active_directory import AADTokenCredentials
+# Function that returns aad token credentials for a given spn
+# Default behavior is to use managed identity, if use_cert_auth is set we attempt to use a certificate, if use_SPN_auth is set we fall back to SPN client secret auth
+def get_fed_token():
+    system_accesstoken = os.getenv('SYSTEM_ACCESSTOKEN')
+    service_connection_id = os.getenv('SERVICE_CONNECTION_ID')
+    system_oidc_request_uri = os.getenv('SYSTEM_OIDCREQUESTURI')
 
+    if system_accesstoken and service_connection_id and system_oidc_request_uri:
+        # Construct the OIDC_REQUEST_URL
+        oidc_request_url = f"{system_oidc_request_uri}?api-version=7.1&serviceConnectionId={service_connection_id}"
+         # Preparing headers for ADO Pipeline OIDC authentication
+        headers = {
+            "Content-Length": "0",
+            "Content-Type": "application/json",
+            "Authorization": f"Bearer {system_accesstoken}"
+        }
 
-# Function to fetch aad token from spn id and password
-def fetch_aad_token(client_id, client_secret, authority_uri, resource_uri):
-    """
-    Authenticate using service principal w/ key.
-    """
-    try:
-        context = adal.AuthenticationContext(authority_uri, api_version=None)
-        return context.acquire_token_with_client_credentials(resource_uri, client_id, client_secret)
-    except Exception as e:
-        pytest.fail("Error occured while fetching aad token: " + str(e))
+        # Make the POST request
+        response = requests.post(oidc_request_url, headers=headers)
 
+        # Check the response and extract the OIDC token
+        if response.status_code == 200:
+            # Assuming the response is JSON and has an 'oidcToken' field
+            arm_oidc_token = response.json().get('oidcToken')
+            print("Return Fed token")
+            return arm_oidc_token
+        else:
+            print("Failed to retrieve FED Token:", response.status_code, response.text)
 
-# Function that returns aad token credentials for a given spn
-def fetch_aad_token_credentials(client_id, client_secret, authority_uri, resource_uri):
-    mgmt_token = fetch_aad_token(client_id, client_secret, authority_uri, resource_uri)
+    else:
+        print("""
+        One or more variables (SYSTEM_ACCESSTOKEN, 
+        SERVICE_CONNECTION_ID, 
+        SYSTEM_OIDCREQUESTURI) are either not set or empty.
+        """)
+
+def fetch_aad_token_credentials(tenant_id, client_id, client_secret, authority, use_cert_auth = False, use_SPN_auth = False, use_FIC_auth = False):
     try:
-        return AADTokenCredentials(mgmt_token, client_id)
+        if use_FIC_auth:
+            return ClientAssertionCredential(tenant_id=tenant_id, client_id=client_id, func=get_fed_token, authority=authority)
+        if use_SPN_auth:
+            return ClientSecretCredential(tenant_id=tenant_id, client_id=client_id, client_secret=client_secret, authority=authority)
+        if use_cert_auth:
+            import base64
+            cert_bytes = base64.b64decode(client_secret)
+            return CertificateCredential(tenant_id=tenant_id, client_id=client_id, certificate_data=cert_bytes, send_certificate_chain=True)
+        else:
+            return ManagedIdentityCredential(client_id=client_id)
     except Exception as e:
         pytest.fail("Error occured while fetching credentials: " + str(e))
diff --git a/test/e2e/src/core/e2e_tests.sh b/test/e2e/src/core/e2e_tests.sh
@@ -155,7 +155,34 @@ deleteArcCIExtension() {
 }
 
 login_to_azure() {
-   if [[ -z $WORKLOAD_CLIENT_ID ]]; then
+   ## Federted Identity credentials authentication mechanism added.
+	if [[ -v SYSTEM_ACCESSTOKEN && -n "$SYSTEM_ACCESSTOKEN" &&
+	      -v SERVICE_CONNECTION_ID && -n "$SERVICE_CONNECTION_ID" &&
+	      -v SYSTEM_OIDCREQUESTURI && -n "$SYSTEM_OIDCREQUESTURI" ]]; then
+	
+	  export OIDC_REQUEST_URL="${SYSTEM_OIDCREQUESTURI}?api-version=7.1&serviceConnectionId=${SERVICE_CONNECTION_ID}"
+	  echo "OIDC_REQUEST_URL= $OIDC_REQUEST_URL"
+	
+	  FED_TOKEN=$(curl -s -H "Content-Length: 0" -H "Content-Type: application/json" -H "Authorization: Bearer $SYSTEM_ACCESSTOKEN" -X POST $OIDC_REQUEST_URL | jq -r '.oidcToken')
+	  echo "FED_TOKEN= $FED_TOKEN"
+	
+	  echo "logging in using Federated Identity"
+	  az login --service-principal -u $FED_CLIENT_ID  --tenant $TENANT_ID --allow-no-subscriptions --federated-token $FED_TOKEN 2> >(tee "${results_dir}/error" >&2) || python3 setup_failure_handler.py
+	
+	elif [[ -v BASE_64_CLIENT_CERTIFICATE && -n "$BASE_64_CLIENT_CERTIFICATE" ]]; then
+	  BASE_64_CLIENT_CERTIFICATE=${BASE_64_CLIENT_CERTIFICATE#\"}   # Remove leading quote
+	  BASE_64_CLIENT_CERTIFICATE=${BASE_64_CLIENT_CERTIFICATE%\"} # Remove trailing quote
+	  echo "logging in using Certificate '${BASE_64_CLIENT_CERTIFICATE}'"
+	  ## create base64 cert to pem
+	  echo ${BASE_64_CLIENT_CERTIFICATE:0} | tr ' ' "\n" > base64_cert
+	  # convert base64 to PEM
+	  openssl base64 -d -in base64_cert -out clientcert.pem
+	  # minutes=60
+	  # seconds=$((minutes * 60))
+	  # sleep $seconds
+	  az login --service-principal --use-cert-sn-issuer -u $CLIENT_ID -p clientcert.pem --tenant $TENANT_ID 2> >(tee "${results_dir}/error" >&2) || python3 setup_failure_handler.py
+	  
+	elif [[ -z $WORKLOAD_CLIENT_ID ]]; then
       echo "logging in using service principal '${CLIENT_ID}'"
       az login --service-principal \
          -u ${CLIENT_ID} \
@@ -166,9 +193,11 @@ login_to_azure() {
       az login --identity \
          -u ${WORKLOAD_CLIENT_ID} 2> ${results_dir}/error || python3 setup_failure_handler.py
    fi
-
-	echo "setting subscription: ${SUBSCRIPTION_ID} as default subscription"
-	az account set -s $SUBSCRIPTION_ID
+	
+   echo "setting subscription: ${SUBSCRIPTION_ID} as default subscription"
+	##
+	az account set \
+	  --subscription ${SUBSCRIPTION_ID} 2> >(tee "${results_dir}/error" >&2) || python3 setup_failure_handler.py
 }
 
 
