fix(azure): pass authority to credentials for sovereign clouds

[Br1an67]

Fixes #8425

Context

When using Prowler to scan Azure sovereign clouds (AzureChinaCloud, AzureUSGovernment) with service principal authentication (--sp-env-auth) or browser authentication (--browser-auth), the token retrieval fails because the credentials are created without specifying the correct authority endpoint for the cloud environment.

Description

The ClientSecretCredential and InteractiveBrowserCredential classes were missing the authority parameter needed for sovereign cloud authentication. This caused authentication requests to go to the default public cloud authority (https://login.microsoftonline.com) instead of the correct sovereign cloud authority (e.g., https://login.chinacloudapi.cn for AzureChinaCloud).

The fix adds the authority=region_config.authority parameter to both credential types, aligning their behavior with DefaultAzureCredential which already included this parameter.

Changes:

• Added authority=region_config.authority to ClientSecretCredential in setup_session()
• Added authority=region_config.authority to InteractiveBrowserCredential in setup_session()

Files changed:

 prowler/providers/azure/azure_provider.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

Steps to review

1. Review the code changes in prowler/providers/azure/azure_provider.py
2. Verify that the authority parameter is now passed to both ClientSecretCredential and InteractiveBrowserCredential
3. Confirm that the change aligns with the existing pattern used for DefaultAzureCredential
4. Run tests related to Azure authentication (if available locally)

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[jfagoagas]

Hi @Br1an67 thanks for this one! Could you please add some evidences for us to validate this fixes the bug? We don't have access to an Azure subscription in China, so we can't validate it.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.06%. Comparing base (b60867c) to head (b06e4b3).
⚠️ Report is 57 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #10284       +/-   ##
===========================================
+ Coverage   56.85%   86.06%   +29.21%     
===========================================
  Files          87      222      +135     
  Lines        2846     5720     +2874     
===========================================
+ Hits         1618     4923     +3305     
+ Misses       1228      797      -431     

Flag	Coverage Δ
prowler-py3.10-azure	86.06% <100.00%> (?)
prowler-py3.10-oraclecloud	?
prowler-py3.11-azure	86.06% <100.00%> (?)
prowler-py3.11-oraclecloud	?
prowler-py3.12-azure	86.06% <100.00%> (?)
prowler-py3.12-oraclecloud	?
prowler-py3.9-azure	86.06% <100.00%> (?)
prowler-py3.9-oraclecloud	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	86.06% <100.00%> (+29.21%)	⬆️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.