Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Identity] Adding regional STS support #15778

Merged
11 commits merged into from
Jun 18, 2021
Merged

Conversation

sadasant
Copy link
Contributor

@sadasant sadasant commented Jun 16, 2021

Added regional STS support to client credential types.

  • Added the RegionalAuthority type, that allows specifying Azure regions.
  • Added regionalAuthority property to ClientSecretCredentialOptions and ClientCertificateCredentialOptions.
  • If instead of a region, autoDiscoverRegion is specified as the value for regionalAuthority, MSAL will be used to attempt to discover the region.
  • A region can also be specified through the AZURE_REGIONAL_AUTHORITY_NAME environment variable.

Fixes #15762
Fixes #15714

@sadasant sadasant force-pushed the identity/fix15762 branch from a8e90ca to c8cf76e Compare June 16, 2021 20:05
@@ -43,7 +43,8 @@
"test:node": "npm run clean && npm run build:test && npm run unit-test:node && npm run integration-test:node",
"test": "npm run clean && npm run build:test && npm run unit-test && npm run integration-test",
"unit-test:browser": "karma start --single-run",
"unit-test:node": "mocha -r esm -r ts-node/register --reporter ../../../common/tools/mocha-multi-reporter.js --timeout 180000 --full-trace --exclude \"test/**/browser/**/*.spec.ts\" \"test/**/*.spec.ts\"",
"unit-test:node": "mocha -r esm -r ts-node/register --reporter ../../../common/tools/mocha-multi-reporter.js --timeout 300000 --full-trace --exclude \"test/**/browser/**/*.spec.ts\" \"test/**/*.spec.ts\"",
"unit-test:node:no-timeouts": "mocha -r esm -r ts-node/register --reporter ../../../common/tools/mocha-multi-reporter.js --no-timeouts --full-trace --exclude \"test/**/browser/**/*.spec.ts\" \"test/**/*.spec.ts\"",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’ve increased the timeout because the live regional test is very time consuming. I’ve added a no-timeouts line here to help testing. We have something similar on Key Vault.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding is we can't fix the tests to be fast because it depends on MSAL and MSAL is slow, even for unit tests? In theory these shouldn't be unit tests, but live tests if they need external deps.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are live tests. On playback they are pretty fast. In the three tests I’m adding here, only one does finish. The one that finishes takes 27 seconds

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason these tests are taking so long is because the test is using the region RegionalAuthority.AutoDiscoverRegion. This results in MSAL trying to discover the region it is running in which it does, in part, by trying to query IMDS. I'm assuming this is likely timing out if you're running in a local environment.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are alternatives that may work that seem complicated in my mind. The alternative that seems simple is to remove the live test. We have two other tests that verify that the parameter is sent through MSAL, which should be enough. What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I can record this test with a specific region, then only enable it for playback 🤔 I’ll do that for now

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It’s not timing out though, the recordings show all 200s 🤔

Copy link
Member

@xirzec xirzec left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks nice and clean to me. Some minor comments, but I defer to @schaabs for the final naming/shape of things.


constructor(options: MsalNodeOptions) {
super(options);
this.msalConfig = this.defaultNodeMsalConfig(options);
this.clientId = this.msalConfig.auth.clientId;
this.azureRegion = options.regionalAuthority || process.env.AZURE_REGIONAL_AUTHORITY_NAME;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like the right priority, but I wonder if the env variable should trump the auto discover setting or not. I don't have strong feelings about it though, since it's easiest to say the option passed always wins.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can see your point about auto discover, however, I think we should stick to the convention that code configuration always wins as you put it. We follow this convention with all our other supported environment variables. Altering this behavior based of the value specified adds a lot of complexity without much benefit.

sdk/identity/identity/src/regionalAuthority.ts Outdated Show resolved Hide resolved
@@ -43,7 +43,8 @@
"test:node": "npm run clean && npm run build:test && npm run unit-test:node && npm run integration-test:node",
"test": "npm run clean && npm run build:test && npm run unit-test && npm run integration-test",
"unit-test:browser": "karma start --single-run",
"unit-test:node": "mocha -r esm -r ts-node/register --reporter ../../../common/tools/mocha-multi-reporter.js --timeout 180000 --full-trace --exclude \"test/**/browser/**/*.spec.ts\" \"test/**/*.spec.ts\"",
"unit-test:node": "mocha -r esm -r ts-node/register --reporter ../../../common/tools/mocha-multi-reporter.js --timeout 300000 --full-trace --exclude \"test/**/browser/**/*.spec.ts\" \"test/**/*.spec.ts\"",
"unit-test:node:no-timeouts": "mocha -r esm -r ts-node/register --reporter ../../../common/tools/mocha-multi-reporter.js --no-timeouts --full-trace --exclude \"test/**/browser/**/*.spec.ts\" \"test/**/*.spec.ts\"",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding is we can't fix the tests to be fast because it depends on MSAL and MSAL is slow, even for unit tests? In theory these shouldn't be unit tests, but live tests if they need external deps.

AustraliaCentralValue = "australiacentral",
AustraliaEastValue = "australiaeast",
AustraliaSouthEastValue = "australiasoutheast",
AutoDiscoverRegion = "AUTO_DISCOVER",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's interesting that MSAL for node seems to use a different constant for this than .NET, which uses the string constant "TryAutoDetect" which it exposes as a constant AttemptRegionDiscovery. Does MSAL for node have a constant defined for this? If so I think we should use it to ensure we're always in sync with this value.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don’t see it here: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-node/docs/regional-authorities.md

I’ll ask the MSAL team.

What is the value of the AutoDiscoverRegion in .Net? I don’t quite understand it in the .NET’s PR. What would be the equivalent for JS on the public API perspective? I can hide the internals.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed, I’ll use the value AutoDiscoverRegion for now.

Copy link
Member

@schaabs schaabs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple of minor comments. Otherwise, looks great!

sadasant and others added 3 commits June 17, 2021 13:19
Copy link
Member

@witemple-msft witemple-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple of nits.

sdk/identity/identity/review/identity.api.md Outdated Show resolved Hide resolved
sdk/identity/identity/src/msal/nodeFlows/nodeCommon.ts Outdated Show resolved Hide resolved
@ghost
Copy link

ghost commented Jun 18, 2021

Hello @sadasant!

Because this pull request has the auto-merge label, I will be glad to assist with helping to merge this pull request once all check-in policies pass.

p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (@msftbot) and give me an instruction to get started! Learn more here.

@ghost ghost merged commit 32c780f into Azure:master Jun 18, 2021
openapi-sdkautomation bot pushed a commit to AzureSDKAutomation/azure-sdk-for-js that referenced this pull request Dec 9, 2021
Microsoft.SecurityInsights 2021-09-01-preview (Azure#16933)

* Adds base for updating Microsoft.SecurityInsights from version preview/2021-03-01-preview to version 2021-09-01-preview

* Updates readme

* Updates API version in new specs and examples

* Microsoft.security insights 2021 09 01 preview add missing resources (Azure#15531)

* Copy missing resources specs and examples from 2019-01-01-preview

* Update added resources specs and examples and extract common types

* Update readme

* Extract ClientInfo, UserInfo and Lable to common types

* Fix SpellCheck and Avocado

* Return ThreatIntelligence to readme

* Fix broken refs in Watchlists

* Resolve duplicate schema errors

* Run prettier

* Make common types prettier

* Add required property to operations according to ARM requirments

* Fix readme

* Add file separators to readme

* Rename example file

* Supress OBJECT_ADDITIONAL_PROPERTIES

* Add 'where' to OBJECT_ADDITIONAL_PROPERTIES supression

* Move OBJECT_ADDITIONAL_PROPERTIES supression under general Supression section.

* Copy dataConnectors from 2021-03-01-preview

* Update version of dataConnectors (this was done as there were errors when trying to generate C# client. Copying and changing version again fixed the problem).

* Add dataConnectorsCheckRequirments path, parameters and definitions from 2019-01-01-preveiw

Co-authored-by: Anat Gilenson <anatgilenson@microsoft.com>

* Use newest common types in new 2021-09-01-preview API version (Azure#15778)

* Use newest common types in AlertRules

* Use newest common types in AutomationRules

* Use newest common types in Bookmarks

* Use newest common types in dataConnectors

* Use newest common types in Enrichment

* Use newest common types in Entities

* Use newest common types in EntityQueries

* Use newest common types in Incidents

* Use newest common types in Metadata

* Use newest common types in OfficeConsents

* Use newest common types in OnboardingStates

* Use newest common types in operations

* Use newest common types in Settings

* Use newest common types in SourceControls

* Use newest common types in ThreatIntelligence

* Use newest common types in Watchlist

* Use newest common types in EntityTypes

* Use newest common types in RelationTypes

* Fix ThreatIntelligence

Co-authored-by: Anat Gilenson <anatgilenson@microsoft.com>

* Add template version to the scheduled alert rule + scheduled template (Azure#15919)

* Add template version to the scheduled alert rule

* Update AlertRules.json

* Update AlertRules.json

* Update AlertRules.json

* Update AlertRules.json

* Update GetAlertRuleTemplates.json

* Update GetAlertRuleTemplateById.json

* add aws s3 connector (Azure#15844)

* Add a new kind of alert rules - NRT (Azure#15980)

* add NRT rule

* add NRT rule

* add NRT rule

* add NRT rule

* fix typo

* fix typo

* fix

* Align new Metadata feature with 2021-03-01-preview (Azure#16304)

Co-authored-by: Anat Gilenson <anatgilenson@microsoft.com>

* Add fixes from 2021-03-01-preview (Azure#16238)

Co-authored-by: Anat Gilenson <anatgilenson@microsoft.com>

* Add entity query templates (Azure#16269)

* Add entity query templates from 2021-03-01-preview

* Update version

* Use newest common types and update readme

* Fix conflicting common types

Co-authored-by: Anat Gilenson <anatgilenson@microsoft.com>

* Fix bookmark relations operatinIds to be consistent with other operationIds. (Azure#16519)

Co-authored-by: Anat Gilenson <anatgilenson@microsoft.com>

* Add corrections from 2021-03-01-preview (Azure#16490)

Co-authored-by: Anat Gilenson <anatgilenson@microsoft.com>

* Remove unused parameters (Azure#16619)

Co-authored-by: Anat Gilenson <anatgilenson@microsoft.com>

* Update readme default readme tag for client generation (Azure#16620)

Co-authored-by: Anat Gilenson <anatgilenson@microsoft.com>

* Use CloudError instead of ErrorResponse to avoid breaking change (Azure#16691)

Co-authored-by: Anat Gilenson <anatgilenson@microsoft.com>

* Add data connectors polling ccp api support (Azure#16293)

* adding dataConnectors polling CCP api Support. (witout tests validations)

* azure sentinel dataconnectors update examples

* azure sentinel dataConnectors examples update and fix

* azure sentinel dataConnectors prettier

* azure sentinel dataConnectors add connect disconnect examples update path

* azure sentinel dataConnectors add connect disconnect examples fix

* azure sentinel dataConnectors add connect disconnect examples fix 2

* azure sentinel dataConnectors rebase dataConnectors dev

* azure sentinel dataconnectors - fix put to post on connect and disconnect endpoints

* azure sentinel dataconnectors - adding x-ms-secret to password on connect

* azure sentinel dataconnectors - connect/disconnect endpoint remove unnedded 201 return

* azure sentinel dataConnectors - remove empty body DataConnectorDisconnectBody

Co-authored-by: Alon Danoch <adanoch@microsoft.com>

* Add office IRM Connector (Azure#16764)

* Add office IRM

* fix

* fix

* fix

* fix

Co-authored-by: omerhaimov <omer.haimovich@gmail.com>

* Add teamInformation to IncidentProperties 2021-09-01-preview (Azure#16787)

* Fix Swagger for SecurityInsights - Add teamInformation to IncidentProperties

* Try change description as advised by Swagger reviewer Yuchao Yan to fix the validation error.

* Revert change in ntDomain description as it has nothing to do with validations

Co-authored-by: Anat Gilenson <anatgilenson@microsoft.com>

* Make CloudError and CloudErrorBody external resources (already exist under Microsoft.Rest.Azure namespace) (Azure#16872)

Co-authored-by: Anat Gilenson <anatgilenson@microsoft.com>

* Remove operational insights parameter 2021 09 01 preview (Azure#16891)

* Remove operationalInsightsResourceProvider parameter from specs

* Remove parameter from examples

Co-authored-by: Anat Gilenson <anatgilenson@microsoft.com>

* Update EntityTypes.json (Azure#16972)

Co-authored-by: Anat Gilenson <anatgilenson@microsoft.com>
Co-authored-by: Amit Bergman <38046493+Amitbergman@users.noreply.github.com>
Co-authored-by: sagamzu <52034287+sagamzu@users.noreply.github.com>
Co-authored-by: necoh <53861229+necoh@users.noreply.github.com>
Co-authored-by: alondanoch <alondanoch@hotmail.com>
Co-authored-by: Alon Danoch <adanoch@microsoft.com>
Co-authored-by: omerhaimov <55688621+omerhaimov@users.noreply.github.com>
Co-authored-by: omerhaimov <omer.haimovich@gmail.com>
Co-authored-by: Yuchao Yan <yuchaoyan@microsoft.com>
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants