Users/davidmiri/2233178 support late bound idtoken (#21580)

* Support idToken late bidning in service endpoint for WIF SC

* Add unit tests

* Polish message

* Try to fix tests attempt 1

* Fix tests attempt 2

* Standardize environment variable names for late-bound ID token feature flags

Author: rm-dmiri

Tasks/AzureCLIV2/Tests/L0.ts

@@ -1,16 +1,60 @@
 import fs = require('fs');
 import assert = require('assert');
 import path = require('path');
+import * as ttm from 'azure-pipelines-task-lib/mock-test';
 
 describe('AzureCLIV2 Suite', function () {
+    this.timeout(20000);
+
     before(() => {
     });
 
     after(() => {
     });
 
-    it('Does a basic hello world test', function (done: MochaDone) {
-        // TODO - add real tests
-        done();
+    it('LateBoundIdToken: Feature Flag ON, Token Present -> Uses Token, Emits Telemetry', async () => {
+        let tp = path.join(__dirname, 'LateBoundIdToken_FeatureFlagOn_TokenPresent.js');
+        let tr: ttm.MockTestRunner = new ttm.MockTestRunner(tp);
+        await tr.runAsync();
+
+        if (!tr.succeeded) {
+            console.log('STDOUT:', tr.stdout);
+            console.log('STDERR:', tr.stderr);
+        }
+
+        assert(tr.succeeded, 'task should have succeeded');
+        assert(tr.stdout.indexOf('MOCK_TELEMETRY: AzureCLIV2, LateBoundIdToken, {"connectedService":"AzureRM","idTokenPresent":"true"}') >= 0, 'should emit telemetry with idTokenPresent=true');
+        assert(tr.stdout.indexOf('Using bound idToken from service endpoint.') >= 0, 'should log that it is using bound idToken');
+        assert(tr.stdout.indexOf('MOCK_CREATE_OIDC_TOKEN_CALLED') === -1, 'should NOT call createOidcToken');
+    });
+
+    it('LateBoundIdToken: Feature Flag ON, Token Missing -> Calls API, Emits Telemetry', async () => {
+        let tp = path.join(__dirname, 'LateBoundIdToken_FeatureFlagOn_TokenMissing.js');
+        let tr: ttm.MockTestRunner = new ttm.MockTestRunner(tp);
+        await tr.runAsync();
+
+        if (!tr.succeeded) {
+            console.log('STDOUT:', tr.stdout);
+            console.log('STDERR:', tr.stderr);
+        }
+
+        assert(tr.succeeded, 'task should have succeeded');
+        assert(tr.stdout.indexOf('MOCK_TELEMETRY: AzureCLIV2, LateBoundIdToken, {"connectedService":"AzureRM","idTokenPresent":"false"}') >= 0, 'should emit telemetry with idTokenPresent=false');
+        assert(tr.stdout.indexOf('MOCK_CREATE_OIDC_TOKEN_CALLED') >= 0, 'should call createOidcToken');
+    });
+
+    it('LateBoundIdToken: Feature Flag OFF -> Calls API, No Telemetry', async () => {
+        let tp = path.join(__dirname, 'LateBoundIdToken_FeatureFlagOff.js');
+        let tr: ttm.MockTestRunner = new ttm.MockTestRunner(tp);
+        await tr.runAsync();
+
+        if (!tr.succeeded) {
+            console.log('STDOUT:', tr.stdout);
+            console.log('STDERR:', tr.stderr);
+        }
+
+        assert(tr.succeeded, 'task should have succeeded');
+        assert(tr.stdout.indexOf('MOCK_TELEMETRY: AzureCLIV2, LateBoundIdToken') === -1, 'should NOT emit LateBoundIdToken telemetry');
+        assert(tr.stdout.indexOf('MOCK_CREATE_OIDC_TOKEN_CALLED') >= 0, 'should call createOidcToken');
     });
 });

Tasks/AzureCLIV2/Tests/LateBoundIdToken_FeatureFlagOff.ts

@@ -0,0 +1,115 @@
+import ma = require('azure-pipelines-task-lib/mock-answer');
+import tmrm = require('azure-pipelines-task-lib/mock-run');
+import path = require('path');
+
+let taskPath = path.join(__dirname, '..', 'azureclitask.js');
+let tmr: tmrm.TaskMockRunner = new tmrm.TaskMockRunner(taskPath);
+
+// Inputs
+tmr.setInput('connectedServiceNameARM', 'AzureRM');
+tmr.setInput('scriptType', 'bash');
+tmr.setInput('scriptLocation', 'inlineScript');
+tmr.setInput('inlineScript', 'echo hello');
+tmr.setInput('cwd', '/tmp');
+tmr.setInput('visibleAzLogin', 'true');
+
+// Environment variables for Feature Flag (OFF)
+process.env['DISTRIBUTEDTASK_TASKS_ENABLELATEBOUNDIDTOKEN'] = 'false';
+process.env['DISTRIBUTEDTASK_TASKS_USEAZVERSION'] = 'false';
+
+// Mock Endpoint (idToken present but should be ignored)
+process.env['ENDPOINT_URL_AzureRM'] = 'https://management.azure.com/';
+process.env['ENDPOINT_AUTH_AzureRM'] = '{"parameters":{"serviceprincipalid":"spId","serviceprincipalkey":"spKey","tenantid":"tenantId","idToken":"ignoredToken"},"scheme":"WorkloadIdentityFederation"}';
+process.env['ENDPOINT_AUTH_SCHEME_AzureRM'] = 'WorkloadIdentityFederation';
+process.env['ENDPOINT_AUTH_PARAMETER_AzureRM_SERVICEPRINCIPALID'] = 'spId';
+process.env['ENDPOINT_AUTH_PARAMETER_AzureRM_SERVICEPRINCIPALKEY'] = 'spKey';
+process.env['ENDPOINT_AUTH_PARAMETER_AzureRM_TENANTID'] = 'tenantId';
+process.env['ENDPOINT_AUTH_PARAMETER_AzureRM_IDTOKEN'] = 'ignoredToken';
+process.env['ENDPOINT_DATA_AzureRM'] = '{"environment":"AzureCloud"}';
+process.env['ENDPOINT_AUTH_SYSTEMVSSCONNECTION'] = '{"parameters":{"AccessToken":"token"},"scheme":"OAuth"}';
+process.env['ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION'] = 'OAuth';
+process.env['ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN'] = 'token';
+
+// Mock Telemetry
+tmr.registerMock('azure-pipelines-tasks-artifacts-common/telemetry', {
+    emitTelemetry: (area, feature, data) => {
+        console.log(`MOCK_TELEMETRY: ${area}, ${feature}, ${JSON.stringify(data)}`);
+    }
+});
+
+// Mock WebApi (Should be called)
+tmr.registerMock('azure-devops-node-api', {
+    getHandlerFromToken: () => {},
+    WebApi: class {
+        getTaskApi() { 
+            return Promise.resolve({ 
+                createOidcToken: () => { 
+                    console.log("MOCK_CREATE_OIDC_TOKEN_CALLED");
+                    return Promise.resolve({ oidcToken: "oidcTokenFromApi" }); 
+                } 
+            }); 
+        }
+    }
+});
+
+// Mock Utility
+tmr.registerMock('./src/Utility', {
+    Utility: {
+        checkIfAzurePythonSdkIsInstalled: () => true,
+        throwIfError: () => {}
+    }
+});
+
+// Mock ScriptType
+tmr.registerMock('./src/ScriptType', {
+    ScriptTypeFactory: {
+        getSriptType: () => {
+            return {
+                getTool: () => {
+                    return {
+                        exec: () => Promise.resolve(0),
+                        on: () => {}
+                    };
+                },
+                cleanUp: () => Promise.resolve()
+            };
+        }
+    }
+});
+
+// Mock azCliUtility
+tmr.registerMock('azure-pipelines-tasks-azure-arm-rest/azCliUtility', {
+    validateAzModuleVersion: () => Promise.resolve()
+});
+
+// Mock toolrunner
+tmr.registerMock('azure-pipelines-task-lib/toolrunner', require('azure-pipelines-task-lib/mock-toolrunner'));
+
+// Answers
+let a: ma.TaskLibAnswers = <ma.TaskLibAnswers>{
+    "which": {
+        "az": "az"
+    },
+    "checkPath": {
+        "az": true
+    },
+    "exec": {
+        "az version": {
+            "code": 0,
+            "stdout": "azure-cli 2.66.0"
+        },
+        "az --version": {
+            "code": 0,
+            "stdout": "azure-cli 2.66.0"
+        },
+        "az account clear": {
+            "code": 0
+        },
+        "az login --service-principal -u \"spId\" --tenant \"tenantId\" --allow-no-subscriptions --federated-token \"oidcTokenFromApi\"": {
+            "code": 0
+        }
+    }
+};
+tmr.setAnswers(a);
+
+tmr.run();

Tasks/AzureCLIV2/Tests/LateBoundIdToken_FeatureFlagOn_TokenMissing.ts

@@ -0,0 +1,114 @@
+import ma = require('azure-pipelines-task-lib/mock-answer');
+import tmrm = require('azure-pipelines-task-lib/mock-run');
+import path = require('path');
+
+let taskPath = path.join(__dirname, '..', 'azureclitask.js');
+let tmr: tmrm.TaskMockRunner = new tmrm.TaskMockRunner(taskPath);
+
+// Inputs
+tmr.setInput('connectedServiceNameARM', 'AzureRM');
+tmr.setInput('scriptType', 'bash');
+tmr.setInput('scriptLocation', 'inlineScript');
+tmr.setInput('inlineScript', 'echo hello');
+tmr.setInput('cwd', '/tmp');
+tmr.setInput('visibleAzLogin', 'true');
+
+// Environment variables for Feature Flag
+process.env['DISTRIBUTEDTASK_TASKS_ENABLELATEBOUNDIDTOKEN'] = 'true';
+process.env['DISTRIBUTEDTASK_TASKS_USEAZVERSION'] = 'false';
+
+// Mock Endpoint (Missing idToken)
+process.env['ENDPOINT_URL_AzureRM'] = 'https://management.azure.com/';
+process.env['ENDPOINT_AUTH_AzureRM'] = '{"parameters":{"serviceprincipalid":"spId","serviceprincipalkey":"spKey","tenantid":"tenantId"},"scheme":"WorkloadIdentityFederation"}';
+process.env['ENDPOINT_AUTH_SCHEME_AzureRM'] = 'WorkloadIdentityFederation';
+process.env['ENDPOINT_AUTH_PARAMETER_AzureRM_SERVICEPRINCIPALID'] = 'spId';
+process.env['ENDPOINT_AUTH_PARAMETER_AzureRM_SERVICEPRINCIPALKEY'] = 'spKey';
+process.env['ENDPOINT_AUTH_PARAMETER_AzureRM_TENANTID'] = 'tenantId';
+process.env['ENDPOINT_DATA_AzureRM'] = '{"environment":"AzureCloud"}';
+process.env['ENDPOINT_AUTH_SYSTEMVSSCONNECTION'] = '{"parameters":{"AccessToken":"token"},"scheme":"OAuth"}';
+process.env['ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION'] = 'OAuth';
+process.env['ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN'] = 'token';
+
+// Mock Telemetry
+tmr.registerMock('azure-pipelines-tasks-artifacts-common/telemetry', {
+    emitTelemetry: (area, feature, data) => {
+        console.log(`MOCK_TELEMETRY: ${area}, ${feature}, ${JSON.stringify(data)}`);
+    }
+});
+
+// Mock WebApi (Should be called)
+tmr.registerMock('azure-devops-node-api', {
+    getHandlerFromToken: () => {},
+    WebApi: class {
+        getTaskApi() { 
+            return Promise.resolve({ 
+                createOidcToken: () => { 
+                    console.log("MOCK_CREATE_OIDC_TOKEN_CALLED");
+                    return Promise.resolve({ oidcToken: "oidcTokenFromApi" }); 
+                } 
+            }); 
+        }
+    }
+});
+
+// Mock Utility
+tmr.registerMock('./src/Utility', {
+    Utility: {
+        checkIfAzurePythonSdkIsInstalled: () => true,
+        throwIfError: () => {}
+    }
+});
+
+// Mock ScriptType
+tmr.registerMock('./src/ScriptType', {
+    ScriptTypeFactory: {
+        getSriptType: () => {
+            return {
+                getTool: () => {
+                    return {
+                        exec: () => Promise.resolve(0),
+                        on: () => {}
+                    };
+                },
+                cleanUp: () => Promise.resolve()
+            };
+        }
+    }
+});
+
+// Mock azCliUtility
+tmr.registerMock('azure-pipelines-tasks-azure-arm-rest/azCliUtility', {
+    validateAzModuleVersion: () => Promise.resolve()
+});
+
+// Mock toolrunner
+tmr.registerMock('azure-pipelines-task-lib/toolrunner', require('azure-pipelines-task-lib/mock-toolrunner'));
+
+// Answers
+let a: ma.TaskLibAnswers = <ma.TaskLibAnswers>{
+    "which": {
+        "az": "az"
+    },
+    "checkPath": {
+        "az": true
+    },
+    "exec": {
+        "az version": {
+            "code": 0,
+            "stdout": "azure-cli 2.66.0"
+        },
+        "az --version": {
+            "code": 0,
+            "stdout": "azure-cli 2.66.0"
+        },
+        "az account clear": {
+            "code": 0
+        },
+        "az login --service-principal -u \"spId\" --tenant \"tenantId\" --allow-no-subscriptions --federated-token \"oidcTokenFromApi\"": {
+            "code": 0
+        }
+    }
+};
+tmr.setAnswers(a);
+
+tmr.run();