Add federated auth support (#5740)

* Add federated auth support

* Wire up UseFederatedAuth more and EnvVars

* parameters.

* Testing

* ServiceConnection

* ServiceConnection (again)

* Remove testApplicaitonSecret

* Parameters

* exit $LASTEXITCODE

* Merge EnvVars correctly, only include SubscriptionConfigurationFilePaths if using federated auth

* Review comments

* Revert identity changes so tests continue passing

Author: danieljurek

eng/pipelines/templates/jobs/live.tests.yml

@@ -42,6 +42,12 @@ parameters:
 - name: OSName
   type: string
   default: ''
+- name: EnvVars
+  type: object
+  default: {}
+- name: UseFederatedAuth
+  type: boolean
+  default: false
 
 jobs:
 - job:
@@ -156,6 +162,9 @@ jobs:
       SubscriptionConfigurations: ${{ parameters.CloudConfig.SubscriptionConfigurations }}
       EnvVars:
         Pool: $(Pool)
+        ${{ insert }}: ${{ parameters.EnvVars }}
+      ${{ if parameters.UseFederatedAuth }}:
+        SubscriptionConfigurationFilePaths: ${{ parameters.CloudConfig.SubscriptionConfigurationFilePaths }}
 
   - template: /eng/common/TestResources/deploy-test-resources.yml
     parameters:
@@ -164,32 +173,56 @@ jobs:
       SubscriptionConfiguration: $(SubscriptionConfiguration)
       EnvVars:
         Pool: $(Pool)
+        ${{ insert }}: ${{ parameters.EnvVars }}
+      UseFederatedAuth: ${{ parameters.UseFederatedAuth }}
+      ServiceConnection: ${{ parameters.CloudConfig.ServiceConnection }}
 
   - template: /eng/common/testproxy/test-proxy-tool.yml
     parameters:
       runProxy: false
 
   - ${{ parameters.PreTestSteps }}
 
-    # For non multi-config generator use the same build configuration to run tests
-    # We don't need to set it to invoke ctest
-    # Visual Studio generator used in CI is a multi-config generator.
-    # As such, it requires the configuration argument for building and invoking ctest
-  - bash: |
-      export AZURE_CLIENT_ID=$(${{parameters.ServiceDirectory}}_CLIENT_ID)
-      export AZURE_TENANT_ID=$(${{parameters.ServiceDirectory}}_TENANT_ID)
-      export AZURE_CLIENT_SECRET=$(${{parameters.ServiceDirectory}}_CLIENT_SECRET)
+  - ${{ if parameters.UseFederatedAuth }}:
+    - task: AzurePowerShell@5
+      displayName: ctest
+      condition: and(succeeded(), ne(variables['RunSamples'], '1'))
+      inputs:
+        azureSubscription: ${{ parameters.CloudConfig.ServiceConnection }}
+        azurePowerShellVersion: LatestVersion
+        ScriptType: InlineScript
+        Inline: |
+          $account = (Get-AzContext).Account
+          $env:AZURESUBSCRIPTION_CLIENT_ID = $account.Id
+          $env:AZURESUBSCRIPTION_TENANT_ID = $account.Tenants
 
-      ctest $(WindowsCtestConfig) -V --tests-regex "${{ parameters.CtestRegex }}" --no-compress-output -T Test
-    workingDirectory: build
-    displayName: ctest
-    # Runs only if test-resources are happily deployed.
-    # unit-tests runs for those configs where samples are not ran.
-    # This enables to run tests and samples at the same time as different matrix configuration.
-    # Then unit-tests runs, samples should not run.
-    condition: and(
-      succeeded(),
-      ne(variables['RunSamples'], '1'))
+          ctest $(WindowsCtestConfig) -V --tests-regex "${{ parameters.CtestRegex }}" --no-compress-output -T Test
+          exit $LASTEXITCODE
+        workingDirectory: build
+      env:
+        SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+        ${{ insert }}: ${{ parameters.EnvVars }}
+
+  - ${{ else }}:
+      # For non multi-config generator use the same build configuration to run tests
+      # We don't need to set it to invoke ctest
+      # Visual Studio generator used in CI is a multi-config generator.
+      # As such, it requires the configuration argument for building and invoking ctest
+    - bash: |
+        export AZURE_CLIENT_ID=$(${{parameters.ServiceDirectory}}_CLIENT_ID)
+        export AZURE_TENANT_ID=$(${{parameters.ServiceDirectory}}_TENANT_ID)
+        export AZURE_CLIENT_SECRET=$(${{parameters.ServiceDirectory}}_CLIENT_SECRET)
+
+        ctest $(WindowsCtestConfig) -V --tests-regex "${{ parameters.CtestRegex }}" --no-compress-output -T Test
+      workingDirectory: build
+      displayName: ctest
+      # Runs only if test-resources are happily deployed.
+      # unit-tests runs for those configs where samples are not ran.
+      # This enables to run tests and samples at the same time as different matrix configuration.
+      # Then unit-tests runs, samples should not run.
+      condition: and(succeeded(), ne(variables['RunSamples'], '1'))
+      env:
+        ${{ insert }}: ${{ parameters.EnvVars }}
 
   - ${{ parameters.PostTestSteps }}
 
@@ -205,32 +238,66 @@ jobs:
     # this step only makes sense when ctest has run
     condition: and(succeededOrFailed(), ne(variables['RunSamples'], '1'))
 
-    # Running Samples step.
-    # Will run samples described on a file name [service]-samples.txt within the build directory.
-    # For example keyvault-samples.txt.
-    # The file is written by CMake during configuration when building samples.
-  - bash: |
-      IFS=$'\n'
-      if [[ -f "./${{ parameters.ServiceDirectory }}-samples.txt" ]]; then
-        for sample in `cat ./${{ parameters.ServiceDirectory }}-samples.txt`
-        do
-          export AZURE_CLIENT_ID=$(${{parameters.ServiceDirectory}}_CLIENT_ID)
-          export AZURE_TENANT_ID=$(${{parameters.ServiceDirectory}}_TENANT_ID)
-          export AZURE_CLIENT_SECRET=$(${{parameters.ServiceDirectory}}_CLIENT_SECRET)
-          echo "**********Running sample: ${sample}"
-          bash -c "$sample"
-          status=$?
-          if [[ $status -eq 0 ]]; then
-            echo "*********Sample completed*********"
-          else
-            echo "*Sample returned a failed code: $status"
-            exit 1
-          fi
-        done
-      fi
-    workingDirectory: build
-    displayName: "Run Samples for : ${{ parameters.ServiceDirectory }}"
-    condition: and(succeeded(), eq(variables['RunSamples'], '1'))
+
+  - ${{ if parameters.UseFederatedAuth }}:
+      # Running Samples step.
+      # Will run samples described on a file name [service]-samples.txt within the build directory.
+      # For example keyvault-samples.txt.
+      # The file is written by CMake during configuration when building samples.
+    - bash: |
+        IFS=$'\n'
+        if [[ -f "./${{ parameters.ServiceDirectory }}-samples.txt" ]]; then
+          for sample in `cat ./${{ parameters.ServiceDirectory }}-samples.txt`
+          do
+            export AZURE_CLIENT_ID=$(${{parameters.ServiceDirectory}}_CLIENT_ID)
+            export AZURE_TENANT_ID=$(${{parameters.ServiceDirectory}}_TENANT_ID)
+            export AZURE_CLIENT_SECRET=$(${{parameters.ServiceDirectory}}_CLIENT_SECRET)
+            echo "**********Running sample: ${sample}"
+            bash -c "$sample"
+            status=$?
+            if [[ $status -eq 0 ]]; then
+              echo "*********Sample completed*********"
+            else
+              echo "*Sample returned a failed code: $status"
+              exit 1
+            fi
+          done
+        fi
+      workingDirectory: build
+      displayName: "Run Samples for : ${{ parameters.ServiceDirectory }}"
+      condition: and(succeeded(), eq(variables['RunSamples'], '1'))
+      env:
+        ${{ insert }}: ${{ parameters.EnvVars }}
+
+  - ${{ else }}:
+    - task: AzurePowerShell@5
+      displayName: "Run Samples for : ${{ parameters.ServiceDirectory }}"
+      condition: and(succeeded(), eq(variables['RunSamples'], '1'))
+      inputs:
+        azureSubscription: ${{ parameters.CloudConfig.ServiceConnection }}
+        azurePowerShellVersion: LatestVersion
+        ScriptType: InlineScript
+        Inline: |
+          $account = (Get-AzContext).Account
+          $env:AZURESUBSCRIPTION_CLIENT_ID = $account.Id
+          $env:AZURESUBSCRIPTION_TENANT_ID = $account.Tenants
+
+          if (Test-Path -Path "${{ parameters.ServiceDirectory }}-samples.txt") {
+            $samples = Get-Content "${{ parameters.ServiceDirectory }}-samples.txt"
+            foreach ($sample in $samples) {
+              Write-Host "**********Running sample: $sample"
+              & "$sample"
+              if ($LASTEXITCODE) {
+                Write-Host "Sample failed with exit code $LASTEXITCODE"
+                exit 1
+              }
+              Write-Host "**********Sample completed"
+            }
+          }
+        workingDirectory: build
+      env:
+        SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+        ${{ insert }}: ${{ parameters.EnvVars }}
 
   # Make coverage targets (specified in coverage_targets.txt) and assemble
   # coverage report
@@ -252,3 +319,6 @@ jobs:
     parameters:
       ServiceDirectory: ${{ parameters.ServiceDirectory }}
       SubscriptionConfiguration: $(SubscriptionConfiguration)
+      UseFederatedAuth: ${{ parameters.UseFederatedAuth }}
+      EnvVars: ${{ parameters.EnvVars }}
+      ServiceConnection: ${{ parameters.CloudConfig.ServiceConnection }}

eng/pipelines/templates/stages/archetype-sdk-client.yml

@@ -56,15 +56,22 @@ parameters:
     default:
       Public:
         SubscriptionConfiguration: $(sub-config-azure-cloud-test-resources)
+        ServiceConnection: azure-sdk-tests
+        SubscriptionConfigurationFilePaths:
+          - eng/common/TestResources/sub-config/AzurePublicMsft.json
       Preview:
         SubscriptionConfiguration: $(sub-config-azure-cloud-test-resources-preview)
+        ServiceConnection: azure-sdk-tests
       Canary:
         SubscriptionConfiguration: $(sub-config-azure-cloud-test-resources)
+        ServiceConnection: azure-sdk-tests
         Location: 'eastus2euap'
       UsGov:
         SubscriptionConfiguration: $(sub-config-gov-test-resources)
+        ServiceConnection: usgov_azure-sdk-tests
       China:
         SubscriptionConfiguration: $(sub-config-cn-test-resources)
+        ServiceConnection: china_azure-sdk-tests
   - name: Clouds
     type: string
     default: Public
@@ -83,6 +90,12 @@ parameters:
   - name: CMakeGenerationTimeoutInMinutes
     type: number
     default: 120
+  - name: EnvVars
+    type: object
+    default: {}
+  - name: UseFederatedAuth
+    type: boolean
+    default: false
 
 extends:
   ${{ if eq(variables['System.TeamProject'], 'internal') }}:
@@ -190,6 +203,8 @@ extends:
               UnsupportedClouds: ${{ parameters.UnsupportedClouds }}
               PreTestSteps: ${{ parameters.PreTestSteps }}
               PostTestSteps: ${{ parameters.PostTestSteps }}
+              UseFederatedAuth: ${{ parameters.UseFederatedAuth }}
+              EnvVars: ${{ parameters.EnvVars }}
 
       - ${{ if and(eq(variables['System.TeamProject'], 'internal'), not(endsWith(variables['Build.DefinitionName'], ' - tests'))) }}:
           - template: archetype-cpp-release.yml@self

eng/pipelines/templates/stages/archetype-sdk-tests.yml

@@ -35,6 +35,12 @@ parameters:
 - name: PostTestSteps
   type: stepList
   default: []
+- name: EnvVars
+  type: object
+  default: {}
+- name: UseFederatedAuth
+  type: boolean
+  default: false
 
 stages:
 - ${{ each cloud in parameters.CloudConfig }}:
@@ -58,6 +64,8 @@ stages:
                 SubscriptionConfigurations: ${{ cloud.value.SubscriptionConfigurations }}
                 Location: ${{ coalesce(parameters.Location, cloud.value.Location) }}
                 Cloud: ${{ cloud.key }}
+                SubscriptionConfigurationFilePaths: ${{ cloud.value.SubscriptionConfigurationFilePaths }}
+                ServiceConnection: ${{ cloud.value.ServiceConnection }}
               AdditionalParameters:
                 Location: ${{ parameters.Location}}
                 ServiceDirectory: ${{ parameters.ServiceDirectory}}
@@ -67,3 +75,5 @@ stages:
                 TimeoutInMinutes: ${{ parameters.TimeoutInMinutes}}
                 PreTestSteps: ${{ parameters.PreTestSteps }}
                 PostTestSteps: ${{ parameters.PostTestSteps }}
+                EnvVars: ${{ parameters.EnvVars }}
+                UseFederatedAuth: ${{ parameters.UseFederatedAuth }}