ImdsV2: Additional Acceptance Tests (#5465)

Robbie-Microsoft · web-flow · commit 818276239ec3 · 2025-09-11T15:35:39.000-04:00
diff --git a/tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHelpers.cs b/tests/Microsoft.Identity.Test.Common/Core/Mocks/MockHelpers.cs
@@ -595,14 +595,15 @@ public static MsalTokenResponse CreateMsalRunTimeBrokerTokenResponse(string acce
         public static MockHttpMessageHandler MockCsrResponse(
             HttpStatusCode statusCode = HttpStatusCode.OK,
             string responseServerHeader = "IMDS/150.870.65.1854",
-            UserAssignedIdentityId idType = UserAssignedIdentityId.None,
+            UserAssignedIdentityId userAssignedIdentityId = UserAssignedIdentityId.None,
             string userAssignedId = null)
         {
             IDictionary<string, string> expectedQueryParams = new Dictionary<string, string>();
             IDictionary<string, string> expectedRequestHeaders = new Dictionary<string, string>();
-            if (idType != UserAssignedIdentityId.None && userAssignedId != null)
+
+            if (userAssignedIdentityId != UserAssignedIdentityId.None && userAssignedId != null)
             {
-                var userAssignedIdQueryParam = ImdsManagedIdentitySource.GetUserAssignedIdQueryParam((ManagedIdentityIdType)idType, userAssignedId, null);
+                var userAssignedIdQueryParam = ImdsManagedIdentitySource.GetUserAssignedIdQueryParam((ManagedIdentityIdType)userAssignedIdentityId, userAssignedId, null);
                 expectedQueryParams.Add(userAssignedIdQueryParam.Value.Key, userAssignedIdQueryParam.Value.Value);
             }
             expectedQueryParams.Add("cred-api-version", "2.0");
@@ -642,14 +643,16 @@ public static MockHttpMessageHandler MockCsrResponseFailure()
         }
 
         public static MockHttpMessageHandler MockCertificateRequestResponse(
-            UserAssignedIdentityId idType = UserAssignedIdentityId.None,
-            string userAssignedId = null)
+            UserAssignedIdentityId userAssignedIdentityId = UserAssignedIdentityId.None,
+            string userAssignedId = null,
+            string certificate = TestConstants.ValidPemCertificate)
         {
             IDictionary<string, string> expectedQueryParams = new Dictionary<string, string>();
             IDictionary<string, string> expectedRequestHeaders = new Dictionary<string, string>();
-            if (idType != UserAssignedIdentityId.None && userAssignedId != null)
+
+            if (userAssignedIdentityId != UserAssignedIdentityId.None && userAssignedId != null)
             {
-                var userAssignedIdQueryParam = ImdsManagedIdentitySource.GetUserAssignedIdQueryParam((ManagedIdentityIdType)idType, userAssignedId, null);
+                var userAssignedIdQueryParam = ImdsManagedIdentitySource.GetUserAssignedIdQueryParam((ManagedIdentityIdType)userAssignedIdentityId, userAssignedId, null);
                 expectedQueryParams.Add(userAssignedIdQueryParam.Value.Key, userAssignedIdQueryParam.Value.Value);
             }
             expectedQueryParams.Add("cred-api-version", ImdsV2ManagedIdentitySource.ImdsV2ApiVersion);
@@ -659,7 +662,7 @@ public static MockHttpMessageHandler MockCertificateRequestResponse(
                 "{" +
                 "\"client_id\": \"" + TestConstants.ClientId + "\"," +
                 "\"tenant_id\": \"" + TestConstants.TenantId + "\"," +
-                "\"certificate\": \"" + TestConstants.ValidPemCertificate + "\"," +
+                "\"certificate\": \"" + certificate + "\"," +
                 "\"identity_type\": \"fake_identity_type\"," + // "SystemAssigned" or "UserAssigned", it doesn't matter for these tests
                 "\"mtls_authentication_endpoint\": \"" + TestConstants.MtlsAuthenticationEndpoint + "\"," +
                 "}";
@@ -680,22 +683,29 @@ public static MockHttpMessageHandler MockCertificateRequestResponse(
         }
 
         public static MockHttpMessageHandler MockImdsV2EntraTokenRequestResponse(
-            IdentityLoggerAdapter identityLoggerAdapter)
+            IdentityLoggerAdapter identityLoggerAdapter,
+            bool mTLSPop = false)
         {
+            IDictionary<string, string> expectedPostData = new Dictionary<string, string>();
             IDictionary<string, string> expectedRequestHeaders = new Dictionary<string, string>
                 {
                     { ThrottleCommon.ThrottleRetryAfterHeaderName, ThrottleCommon.ThrottleRetryAfterHeaderValue }
                 };
+
             var idParams = MsalIdHelper.GetMsalIdParameters(identityLoggerAdapter);
             foreach (var idParam in idParams)
             {
                 expectedRequestHeaders[idParam.Key] = idParam.Value;
             }
 
+            var tokenType = mTLSPop ? "mtls_pop" : "bearer";
+            expectedPostData.Add("token_type", tokenType);
+
             var handler = new MockHttpMessageHandler()
             {
                 ExpectedUrl = $"{TestConstants.MtlsAuthenticationEndpoint}/{TestConstants.TenantId}{ImdsV2ManagedIdentitySource.AcquireEntraTokenPath}",
                 ExpectedMethod = HttpMethod.Post,
+                ExpectedPostData = expectedPostData,
                 ExpectedRequestHeaders = expectedRequestHeaders,
                 ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK)
                 {
diff --git a/tests/Microsoft.Identity.Test.Common/TestConstants.cs b/tests/Microsoft.Identity.Test.Common/TestConstants.cs
@@ -585,15 +585,34 @@ public static MsalTokenResponse CreateAadTestTokenResponseWithFoci()
         internal const string RefreshToken = "mhJDJ8wtjA3KxpRtuPAreZnMcJ2yKC2JUbpOGbRTdOCImLyQ2B4EIhv8AiA2cCEylZZfZsOsZrNsMBZZAAU9TQYYEO72QcdfnIWpAOeKkud5W2L8nMq6i9dx1EVIl09zFXhOJ79BdFbU0Eb5aUHlcqPCQjec62UKBLkZJmtMnoAa8cjvgIuxTdVM8FNdghe5nlCNTEVooKleTTEHNl2BrdyitLaWTKSP0lRqnFxriG0xWcJoSMsdS7Vt6HZd1TkwHIXycNMlCcCdUh5tOgqx1M8y8uoXK4OJ1LQmtkZvcQWcycvOCPACYakKM1pUQqwTxI6Y4HrL38sqQaSNxpF9OcFxOQWpuGodRekCbxXVbWclttIpvSOLaBhZ2ZBpcCBEeEMSmhqqYgajNwwwe9w88u0UsYKe6PBbaI48ENr02u2qBeLsIQ2HUyKlN3iVmX7u7MhgDWA3NNavMtlLmWd63NfuDgXpLI0O4cLhjAx8uoBIK8LntXPHPTxJ28o0yrszvD4gf7RdhuTq5VE15zne6iAJgIGfy7latGFzxuDMcML9OoXURHnNEHBgS9ZQCfNzYZ2O9flF1UjGpcBLEi7hHVHnrQb4y7c98dz9p62cvEMhorGx9kCwSIkOae5LheXPQkFIbsGyomNEwz3HZvR131VGAwdfmUUodvPr6LAAtmjl4sZ72PRqAo8EdQ0IFsWoypXVv51IooR87tO3uiG2DkxhIAwumOQdaJNxw1a0WS9mpQOmwFlvfbZkaIoUKgagHc8fVa1aHZntLGwH0S1iYixJiIrMnPYAeRdSp9mlHllrMX8xUIznobcZ5i8MpUYCKlUXMZ82S3XUJ5dJxARNRPxXlLJ5LPYBhUNkBLQen9Qmq3VZEV1RDJyhbGp6GAo14KsMtVAVYNmYPIgo85pCZgOwVEOBUycszu4AD3p4PT2ella4LVoqmTTMSA5GEWoeWb5JvEo222Z0oKr7UK8dGwpWRSbg8TNeODihJaTUDfErvbgaZnjIRpqfgtM5i1HfQbD7Yyft5PqyygUra7GYy7pjRrEvq95XQD8sAZ32ku9AqCo5qOB584iX881WErOoheQZokt1txqwuIMUyhVuMKNEXy70CeNTsb30ghQMZpZcXIkrLYyQCZ0gNmARhMKagCSdrpUtxudLk44yfmuwSQzBN3ifWfLZiFpU53qdPLZoTw5";
         internal const string IdToken = "6GwdM7f6hHXfivavPozhaRqrbxvEysfXSMQyEKBwVgivPZTtmowsmYygchhIuxjeFFeq1ZPHjhxKFnulrvoY6TDerZY5xyOlg45bToI9Bu95qFvUrrt5r17UJcXdw4YkvEt10CcDDcLcEYw704RpVefvbpjbF24pOgIuafcAkDnbDA0Qea4ePuSC45Lw7zpJhbo9Gh8IfMX597fayBvMs3fh7frrm9KpWMCeKY3h99YSaCYjZFKp1ppvXXPE9bc4sh4pRDOfnv0Yr9J8u4elZevEE4qGddfgd3hYb18XPGRjPEMlWsh7tnwxwUm6OSZlMTHYuvwBENNMx7SUQmMeg4rCfgnbcNDkWpXCiSDVt1lLLv8F2GjYnM6De3v1Ks5lhBWx3grLggcN9LnXz92eJ1l5lTB2v0y9MgmFZ4gY43oIOW5n8G5HOx3bGOyjTw0TKKbyVa3mDj0A3QqW8eLTUJz42BNiGOf5m9prMSlpAW59CHCMJLatsj3IvGeCITsGAr3sUZEytORWUdxCfuIPwecQgU6bO7pNqNvZc1tJHHNwJlfS23ZkiFuEXqEThHYfxBCFxAzMDlzO0TOdWhvrb8hlNeAOcNhoAKxu7HXsePajKs4fU1rcdSxzNKwtASEla3p6jfJnnDtKf38RJZPaRRYMviqqWEMhjmqIvBm7sMaf8RyNNuYl7otZwmwNVCR1hzzmaTAy4kQce67FJqFba7uizrgwp9zsvK8muCHKKPvNthy7fHsxKmrBIm0bLcoePKK3wAID4kFvNQcxXp6rAOr8bLFF3bLEoYdzmF2QJz1frVZZHHPy90Cmlhw48EQN8NE2OllpdaykKt5k4rPcZQyitayNNhism30qh7eCBhcA7mm5Ja0S8X4VPlkwvgwg0mQuul6gakmja8xpnTrwiOdtao320GDmJaJA6zf3UTpNZTq9tdfBtUrjAD8RS0tNUBT3Ko8N2Lfh9ry8y9ESmRVIhch3rKY7UeefFAnkiwH2WwC57ZEsHtMP0SwKYtYKHZW9HkERCCyqOT1Mw0IavsLGFvchzMAvTnz4RwRBk6IrWgANvqT3F3Vexc2K0poKb71XZ4aMXxjqAzydGQAKpKJEJcqEvX9RD8nL76TF2LZIepiaZ3dbQImkqSjbF7aaY2JFoN9ZWlcSQKe8zdO8TIG16bF8W9R4ldDyzV39L33KcweG";
 
-        #region Test Certificate and Private Key (ValidPemCertificate & XmlPrivateKey)
+        #region Test Certificate and Private Key (ExpiredPemCertificate, ValidPemCertificate & XmlPrivateKey)
         /// <summary>
-        /// A test PEM-encoded X.509 certificate and its matching RSA private key.
+        /// Test (expired and valid) PEM-encoded X.509 certificate and their matching RSA private key.
         /// These are used together in unit tests that require both a certificate and its private key.
-        /// The <see cref="ValidPemCertificate"/> and <see cref="XmlPrivateKey"/> are a matched pair:
-        /// - <see cref="ValidPemCertificate"/> is a PEM-encoded certificate.
-        /// - <see cref="XmlPrivateKey"/> is the corresponding RSA private key in XML format.
-        /// The certificate is valid for 100 years, ensuring it will not expire during the lifetime of the tests.
+        /// The <see cref="ExpiredPemCertificate"/>/<see cref="ValidPemCertificate"/> and <see cref="XmlPrivateKey"/> are a matched pair:
+        /// - <see cref="ExpiredPemCertificate"/> is an expired PEM-encoded certificate. The certificate is valid for 1 day and was created on September 8 2025, ensuring it will always be expired.
+        /// - <see cref="ValidPemCertificate"/> is a valid PEM-encoded certificate. The certificate is valid for 100 years and expires on August 4, 2125, ensuring it will not expire during the lifetime of the tests.
+        /// - <see cref="XmlPrivateKey"/> is their corresponding RSA private key in XML format.
         /// </summary>
+        internal const string ExpiredPemCertificate = @"-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIUGSVU23Wc0+QtCbUTjsyPOrc0XpEwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEVGVzdDAeFw0yNTA5MDgyMjAxMTdaFw0yNTA5MDkyMjAx
+MTdaMA8xDTALBgNVBAMMBFRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC5XNEuk3cIEChkZd2P/bljUaVqNVh4mbXdWHYAgbdK48U6rG0FLq1NAfSn
+ZO0EPbK8Zo4psRh2lBcqW29/WsKiHUEHLkLyFI+frEIfc8wskd+WxkKfL8G52uRp
+YQCG87FIv8uZBBlDG7kDdOV36CUkK1N+V2fHbkEgx+YfWg6+pLi3KQx6Pf/b2YqL
+D36hj8WRrVYzL6yXVUBiyRd+cQ9y5V/MRtoiX1Sv8WEFYtzIG0TUGi9pR7WWhgHN
+Qk6DFDzutMV62ZEBNPIQvdO2EwXGr1FUIOL6zmj6bArPhY+hCXGrAAwCXodZhgZ9
+5BxTwsQWtjCha2hT6ed8zmoE72FdAgMBAAGjUzBRMB0GA1UdDgQWBBQPYq0Efzuv
+1diVcgxBxTnVA4wLMjAfBgNVHSMEGDAWgBQPYq0Efzuv1diVcgxBxTnVA4wLMjAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCXAD7cjWmmTqP0NX4M
+qwO0AHtO+KGVtfxF8aI21Ty/nHh2SAODzsemP3NBBvoEvllwtcVyutPqvUiAflML
+Nbp0ucTu+aWE14s1V9Bnt6++5g7gtXItsNV3F/ymYKsyfhDvJbWCOv5qYeJMQ+jt
+ODHN9qnATODT5voULTwEVSYQXtutwRxR8e70Cvok+F+4I6Ni49DJ8DmcYzvB94ut
+hqpDsygY1vYzpRbB5hpW0/D7kgVVWyWoOWiE1mV7Fry7tUWQw7EqnX89kMLMy4g6
+UfOv4gtam8RBa9dLyMW1rCHRxOulP47joI10g9JoJ9DssiQTUojJgQXOSBBXdD20
+H+zl
+-----END CERTIFICATE-----";
         internal const string ValidPemCertificate = @"-----BEGIN CERTIFICATE-----
 MIIDATCCAemgAwIBAgIUSfjghyQB4FIS41rWfNcZHTLE/R4wDQYJKoZIhvcNAQEL
 BQAwDzENMAsGA1UEAwwEVGVzdDAgFw0yNTA4MjgyMDIxMDBaGA8yMTI1MDgwNDIw
diff --git a/tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ImdsV2Tests.cs b/tests/Microsoft.Identity.Test.Unit/ManagedIdentityTests/ImdsV2Tests.cs

Original file line number	Diff line number	Diff line change
`@@ -595,14 +595,15 @@ public static MsalTokenResponse CreateMsalRunTimeBrokerTokenResponse(string acce`
`595`	`595`	`public static MockHttpMessageHandler MockCsrResponse(`
`596`	`596`	`HttpStatusCode statusCode = HttpStatusCode.OK,`
`597`	`597`	`string responseServerHeader = "IMDS/150.870.65.1854",`
`598`		`- UserAssignedIdentityId idType = UserAssignedIdentityId.None,`
	`598`	`+ UserAssignedIdentityId userAssignedIdentityId = UserAssignedIdentityId.None,`
`599`	`599`	`string userAssignedId = null)`
`600`	`600`	`{`
`601`	`601`	`IDictionary<string, string> expectedQueryParams = new Dictionary<string, string>();`
`602`	`602`	`IDictionary<string, string> expectedRequestHeaders = new Dictionary<string, string>();`
`603`		`- if (idType != UserAssignedIdentityId.None && userAssignedId != null)`
	`603`	`+`
	`604`	`+ if (userAssignedIdentityId != UserAssignedIdentityId.None && userAssignedId != null)`
`604`	`605`	`{`
`605`		`- var userAssignedIdQueryParam = ImdsManagedIdentitySource.GetUserAssignedIdQueryParam((ManagedIdentityIdType)idType, userAssignedId, null);`
	`606`	`+ var userAssignedIdQueryParam = ImdsManagedIdentitySource.GetUserAssignedIdQueryParam((ManagedIdentityIdType)userAssignedIdentityId, userAssignedId, null);`
`606`	`607`	`expectedQueryParams.Add(userAssignedIdQueryParam.Value.Key, userAssignedIdQueryParam.Value.Value);`
`607`	`608`	`}`
`608`	`609`	`expectedQueryParams.Add("cred-api-version", "2.0");`
`@@ -642,14 +643,16 @@ public static MockHttpMessageHandler MockCsrResponseFailure()`
`642`	`643`	`}`
`643`	`644`
`644`	`645`	`public static MockHttpMessageHandler MockCertificateRequestResponse(`
`645`		`- UserAssignedIdentityId idType = UserAssignedIdentityId.None,`
`646`		`- string userAssignedId = null)`
	`646`	`+ UserAssignedIdentityId userAssignedIdentityId = UserAssignedIdentityId.None,`
	`647`	`+ string userAssignedId = null,`
	`648`	`+ string certificate = TestConstants.ValidPemCertificate)`
`647`	`649`	`{`
`648`	`650`	`IDictionary<string, string> expectedQueryParams = new Dictionary<string, string>();`
`649`	`651`	`IDictionary<string, string> expectedRequestHeaders = new Dictionary<string, string>();`
`650`		`- if (idType != UserAssignedIdentityId.None && userAssignedId != null)`
	`652`	`+`
	`653`	`+ if (userAssignedIdentityId != UserAssignedIdentityId.None && userAssignedId != null)`
`651`	`654`	`{`
`652`		`- var userAssignedIdQueryParam = ImdsManagedIdentitySource.GetUserAssignedIdQueryParam((ManagedIdentityIdType)idType, userAssignedId, null);`
	`655`	`+ var userAssignedIdQueryParam = ImdsManagedIdentitySource.GetUserAssignedIdQueryParam((ManagedIdentityIdType)userAssignedIdentityId, userAssignedId, null);`
`653`	`656`	`expectedQueryParams.Add(userAssignedIdQueryParam.Value.Key, userAssignedIdQueryParam.Value.Value);`
`654`	`657`	`}`
`655`	`658`	`expectedQueryParams.Add("cred-api-version", ImdsV2ManagedIdentitySource.ImdsV2ApiVersion);`
`@@ -659,7 +662,7 @@ public static MockHttpMessageHandler MockCertificateRequestResponse(`
`659`	`662`	`"{" +`
`660`	`663`	`"\"client_id\": \"" + TestConstants.ClientId + "\"," +`
`661`	`664`	`"\"tenant_id\": \"" + TestConstants.TenantId + "\"," +`
`662`		`- "\"certificate\": \"" + TestConstants.ValidPemCertificate + "\"," +`
	`665`	`+ "\"certificate\": \"" + certificate + "\"," +`
`663`	`666`	`"\"identity_type\": \"fake_identity_type\"," + // "SystemAssigned" or "UserAssigned", it doesn't matter for these tests`
`664`	`667`	`"\"mtls_authentication_endpoint\": \"" + TestConstants.MtlsAuthenticationEndpoint + "\"," +`
`665`	`668`	`"}";`
`@@ -680,22 +683,29 @@ public static MockHttpMessageHandler MockCertificateRequestResponse(`
`680`	`683`	`}`
`681`	`684`
`682`	`685`	`public static MockHttpMessageHandler MockImdsV2EntraTokenRequestResponse(`
`683`		`- IdentityLoggerAdapter identityLoggerAdapter)`
	`686`	`+ IdentityLoggerAdapter identityLoggerAdapter,`
	`687`	`+ bool mTLSPop = false)`
`684`	`688`	`{`
	`689`	`+ IDictionary<string, string> expectedPostData = new Dictionary<string, string>();`
`685`	`690`	`IDictionary<string, string> expectedRequestHeaders = new Dictionary<string, string>`
`686`	`691`	`{`
`687`	`692`	`{ ThrottleCommon.ThrottleRetryAfterHeaderName, ThrottleCommon.ThrottleRetryAfterHeaderValue }`
`688`	`693`	`};`
	`694`	`+`
`689`	`695`	`var idParams = MsalIdHelper.GetMsalIdParameters(identityLoggerAdapter);`
`690`	`696`	`foreach (var idParam in idParams)`
`691`	`697`	`{`
`692`	`698`	`expectedRequestHeaders[idParam.Key] = idParam.Value;`
`693`	`699`	`}`
`694`	`700`
	`701`	`+ var tokenType = mTLSPop ? "mtls_pop" : "bearer";`
	`702`	`+ expectedPostData.Add("token_type", tokenType);`
	`703`	`+`
`695`	`704`	`var handler = new MockHttpMessageHandler()`
`696`	`705`	`{`
`697`	`706`	`ExpectedUrl = $"{TestConstants.MtlsAuthenticationEndpoint}/{TestConstants.TenantId}{ImdsV2ManagedIdentitySource.AcquireEntraTokenPath}",`
`698`	`707`	`ExpectedMethod = HttpMethod.Post,`
	`708`	`+ ExpectedPostData = expectedPostData,`
`699`	`709`	`ExpectedRequestHeaders = expectedRequestHeaders,`
`700`	`710`	`ResponseMessage = new HttpResponseMessage(HttpStatusCode.OK)`
`701`	`711`	`{`