dotnet · dtivel · Jun 24, 2024 · Jun 24, 2024 · Jun 24, 2024 · Jun 24, 2024
@@ -5,26 +5,49 @@
 using System.CommandLine;
 using System.CommandLine.Invocation;
 using System.CommandLine.IO;
+using System.CommandLine.Parsing;
 using Azure.Core;
 using Azure.Identity;
 
 namespace Sign.Cli
 {
     internal sealed class AzureCredentialOptions
     {
+        internal Option<string?> CredentialTypeOption { get; } = new Option<string?>(["-act", "--azure-credential-type"], Resources.CredentialTypeOptionDescription).FromAmong(
+            AzureCredentialType.Environment);
         internal Option<bool?> ManagedIdentityOption { get; } = new(["-kvm", "--azure-key-vault-managed-identity"], Resources.ManagedIdentityOptionDescription);
         internal Option<string?> TenantIdOption { get; } = new(["-kvt", "--azure-key-vault-tenant-id"], Resources.TenantIdOptionDescription);
         internal Option<string?> ClientIdOption { get; } = new(["-kvi", "--azure-key-vault-client-id"], Resources.ClientIdOptionDescription);
         internal Option<string?> ClientSecretOption { get; } = new(["-kvs", "--azure-key-vault-client-secret"], Resources.ClientSecretOptionDescription);
 
         internal void AddOptionsToCommand(Command command)
         {
+            command.AddOption(CredentialTypeOption);
             command.AddOption(ManagedIdentityOption);
             command.AddOption(TenantIdOption);
             command.AddOption(ClientIdOption);
             command.AddOption(ClientSecretOption);
         }
 
+        internal DefaultAzureCredentialOptions CreateDefaultAzureCredentialOptions(ParseResult parseResult)
+        {
+            DefaultAzureCredentialOptions options = new();
+
+            string? credentialType = parseResult.GetValueForOption(CredentialTypeOption);
+            if (credentialType is not null)
+            {
+                options.ExcludeAzureCliCredential = true;
+                options.ExcludeAzureDeveloperCliCredential = true;
+                options.ExcludeAzurePowerShellCredential = true;
+                options.ExcludeEnvironmentCredential = credentialType != AzureCredentialType.Environment;
+                options.ExcludeManagedIdentityCredential = true;
+                options.ExcludeVisualStudioCredential = true;
+                options.ExcludeWorkloadIdentityCredential = true;
+            }
+
+            return options;
+        }
+
         internal TokenCredential? CreateTokenCredential(InvocationContext context)
         {
             bool? useManagedIdentity = context.ParseResult.GetValueForOption(ManagedIdentityOption);
@@ -45,7 +68,8 @@ internal void AddOptionsToCommand(Command command)
                 return new ClientSecretCredential(tenantId, clientId, secret);
             }
 
-            return new DefaultAzureCredential();
+            DefaultAzureCredentialOptions options = CreateDefaultAzureCredentialOptions(context.ParseResult);
+            return new DefaultAzureCredential(options);
         }
     }
 }
@@ -0,0 +1,11 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+// See the LICENSE.txt file in the project root for more information.
+
+namespace Sign.Cli
+{
+    internal static class AzureCredentialType
+    {
+        public const string Environment = "environment";
+    }
+}
@@ -135,6 +135,9 @@
   <data name="CodeCommandDescription" xml:space="preserve">
     <value>Sign binaries and containers.</value>
   </data>
+  <data name="CredentialTypeOptionDescription" xml:space="preserve">
+    <value>Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</value>
+  </data>
   <data name="DescriptionOptionDescription" xml:space="preserve">
     <value>Description of the signing certificate.</value>
   </data>

@@ -32,6 +32,11 @@
         <target state="translated">Podepisovat binární soubory a kontejnery.</target>
         <note />
       </trans-unit>
+      <trans-unit id="CredentialTypeOptionDescription">
+        <source>Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</source>
+        <target state="new">Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DescriptionOptionDescription">
         <source>Description of the signing certificate.</source>
         <target state="translated">Popis podpisového certifikátu.</target>

@@ -32,6 +32,11 @@
         <target state="translated">Signieren Sie Binärdateien und Container.</target>
         <note />
       </trans-unit>
+      <trans-unit id="CredentialTypeOptionDescription">
+        <source>Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</source>
+        <target state="new">Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DescriptionOptionDescription">
         <source>Description of the signing certificate.</source>
         <target state="translated">Beschreibung des Signaturzertifikats.</target>

@@ -32,6 +32,11 @@
         <target state="translated">Firmar archivos binarios y contenedores.</target>
         <note />
       </trans-unit>
+      <trans-unit id="CredentialTypeOptionDescription">
+        <source>Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</source>
+        <target state="new">Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DescriptionOptionDescription">
         <source>Description of the signing certificate.</source>
         <target state="translated">Descripción del certificado de firma.</target>

@@ -32,6 +32,11 @@
         <target state="translated">Signer les fichiers binaires et les conteneurs.</target>
         <note />
       </trans-unit>
+      <trans-unit id="CredentialTypeOptionDescription">
+        <source>Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</source>
+        <target state="new">Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DescriptionOptionDescription">
         <source>Description of the signing certificate.</source>
         <target state="translated">Description du certificat de signature.</target>

@@ -32,6 +32,11 @@
         <target state="translated">Consente di firmare file binari e contenitori.</target>
         <note />
       </trans-unit>
+      <trans-unit id="CredentialTypeOptionDescription">
+        <source>Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</source>
+        <target state="new">Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DescriptionOptionDescription">
         <source>Description of the signing certificate.</source>
         <target state="translated">Descrizione del certificato di firma.</target>

@@ -32,6 +32,11 @@
         <target state="translated">バイナリとコンテナーに署名します。</target>
         <note />
       </trans-unit>
+      <trans-unit id="CredentialTypeOptionDescription">
+        <source>Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</source>
+        <target state="new">Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DescriptionOptionDescription">
         <source>Description of the signing certificate.</source>
         <target state="translated">署名証明書の説明。</target>

@@ -32,6 +32,11 @@
         <target state="translated">이진 파일 및 컨테이너에 서명합니다.</target>
         <note />
       </trans-unit>
+      <trans-unit id="CredentialTypeOptionDescription">
+        <source>Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</source>
+        <target state="new">Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DescriptionOptionDescription">
         <source>Description of the signing certificate.</source>
         <target state="translated">서명 인증서에 대한 설명입니다.</target>

@@ -32,6 +32,11 @@
         <target state="translated">Podpisz pliki binarne i kontenery.</target>
         <note />
       </trans-unit>
+      <trans-unit id="CredentialTypeOptionDescription">
+        <source>Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</source>
+        <target state="new">Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DescriptionOptionDescription">
         <source>Description of the signing certificate.</source>
         <target state="translated">Opis certyfikatu podpisywania.</target>

@@ -32,6 +32,11 @@
         <target state="translated">Autenticar contêineres e binários.</target>
         <note />
       </trans-unit>
+      <trans-unit id="CredentialTypeOptionDescription">
+        <source>Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</source>
+        <target state="new">Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DescriptionOptionDescription">
         <source>Description of the signing certificate.</source>
         <target state="translated">Descrição do certificado de autenticação.</target>

@@ -32,6 +32,11 @@
         <target state="translated">Подписывание двоичных файлов и контейнеров.</target>
         <note />
       </trans-unit>
+      <trans-unit id="CredentialTypeOptionDescription">
+        <source>Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</source>
+        <target state="new">Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DescriptionOptionDescription">
         <source>Description of the signing certificate.</source>
         <target state="translated">Описание сертификата для подписи</target>

@@ -32,6 +32,11 @@
         <target state="translated">İkili dosyaları ve kapsayıcıları imzalayın.</target>
         <note />
       </trans-unit>
+      <trans-unit id="CredentialTypeOptionDescription">
+        <source>Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</source>
+        <target state="new">Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DescriptionOptionDescription">
         <source>Description of the signing certificate.</source>
         <target state="translated">İmzalama sertifikasının açıklaması.</target>

@@ -32,6 +32,11 @@
         <target state="translated">对二进制文件和容器进行签名。</target>
         <note />
       </trans-unit>
+      <trans-unit id="CredentialTypeOptionDescription">
+        <source>Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</source>
+        <target state="new">Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DescriptionOptionDescription">
         <source>Description of the signing certificate.</source>
         <target state="translated">签名证书的说明。</target>

@@ -32,6 +32,11 @@
         <target state="translated">簽署二進位檔和容器。</target>
         <note />
       </trans-unit>
+      <trans-unit id="CredentialTypeOptionDescription">
+        <source>Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</source>
+        <target state="new">Azure credential type that will be used. This defaults to all types except interactive-browser, shared-token and visual-studio-code.</target>
+        <note />
+      </trans-unit>
       <trans-unit id="DescriptionOptionDescription">
         <source>Description of the signing certificate.</source>
         <target state="translated">簽署憑證的描述。</target>

@@ -3,12 +3,38 @@
 // See the LICENSE.txt file in the project root for more information.
 
 using System.CommandLine;
+using System.CommandLine.Builder;
+using System.CommandLine.Parsing;
+using Azure.Identity;
+using Moq;
+using Sign.Core;
 
 namespace Sign.Cli.Test
 {
     public class AzureCredentialOptionsTests
     {
-        private readonly AzureCredentialOptions _options = new();
+        private readonly AzureCredentialOptions _options;
+        private readonly AzureKeyVaultCommand _command;
+        private readonly Parser _parser;
+
+        public AzureCredentialOptionsTests()
+        {
+            _command = new(new CodeCommand(), Mock.Of<IServiceProviderFactory>());
+            _parser = new CommandLineBuilder(_command).Build();
+            _options = _command.AzureCredentialOptions;
+        }
+
+        [Fact]
+        public void CredentialTypeOption_Always_HasArityOfExactlyOne()
+        {
+            Assert.Equal(ArgumentArity.ExactlyOne, _options.CredentialTypeOption.Arity);
+        }
+
+        [Fact]
+        public void CredentialTypeOption_Always_IsNotRequired()
+        {
+            Assert.False(_options.CredentialTypeOption.IsRequired);
+        }
 
         [Fact]
         public void ManagedIdentityOption_Always_HasArityOfZeroOrOne()
@@ -57,5 +83,57 @@ public void ClientSecretOption_Always_IsNotRequired()
         {
             Assert.False(_options.ClientSecretOption.IsRequired);
         }
+
+        [Fact]
+        public void AddOptionsToCommand_Always_AddsAllOptionsToCommand()
+        {
+            var command = new Command("test");
+
+            _options.AddOptionsToCommand(command);
+
+            Assert.Contains(_options.CredentialTypeOption, command.Options);
+            Assert.Contains(_options.ManagedIdentityOption, command.Options);
+            Assert.Contains(_options.TenantIdOption, command.Options);
+            Assert.Contains(_options.ClientIdOption, command.Options);
+            Assert.Contains(_options.ClientSecretOption, command.Options);
+        }
+
+        [Fact]
+        public void CreateDefaultAzureCredentialOptions_WhenNoOptionsAreSpecified_ExcludeOptionsHaveTheCorrectDefaultValues()
+        {
+            ParseResult result = _parser.Parse("azure-key-vault -kvu https://keyvault.test -kvc a b");
+
+            DefaultAzureCredentialOptions credentialOptions = _options.CreateDefaultAzureCredentialOptions(result);
+
+            Assert.True(credentialOptions.ExcludeInteractiveBrowserCredential);
+            Assert.True(credentialOptions.ExcludeSharedTokenCacheCredential);
+            Assert.True(credentialOptions.ExcludeVisualStudioCodeCredential);
+            Assert.False(credentialOptions.ExcludeAzureCliCredential);
+            Assert.False(credentialOptions.ExcludeAzureDeveloperCliCredential);
+            Assert.False(credentialOptions.ExcludeAzurePowerShellCredential);
+            Assert.False(credentialOptions.ExcludeEnvironmentCredential);
+            Assert.False(credentialOptions.ExcludeManagedIdentityCredential);
+            Assert.False(credentialOptions.ExcludeVisualStudioCredential);
+            Assert.False(credentialOptions.ExcludeWorkloadIdentityCredential);
+        }
+
+        [Fact]
+        public void CreateDefaultAzureCredentialOptions_WhenEnvironmentIsSpecified_ExcludeOptionsHaveTheCorrectValues()
+        {
+            ParseResult result = _parser.Parse(@"azure-key-vault -kvu https://keyvault.test -kvc a -act environment b");
+
+            DefaultAzureCredentialOptions credentialOptions = _options.CreateDefaultAzureCredentialOptions(result);
+
+            Assert.True(credentialOptions.ExcludeAzureCliCredential);
+            Assert.True(credentialOptions.ExcludeAzureDeveloperCliCredential);
+            Assert.True(credentialOptions.ExcludeAzurePowerShellCredential);
+            Assert.False(credentialOptions.ExcludeEnvironmentCredential);
+            Assert.True(credentialOptions.ExcludeInteractiveBrowserCredential);
+            Assert.True(credentialOptions.ExcludeManagedIdentityCredential);
+            Assert.True(credentialOptions.ExcludeSharedTokenCacheCredential);
+            Assert.True(credentialOptions.ExcludeVisualStudioCodeCredential);
+            Assert.True(credentialOptions.ExcludeVisualStudioCredential);
+            Assert.True(credentialOptions.ExcludeWorkloadIdentityCredential);
+        }
     }
 }