move tests into new credential-specific modules

Author: chlowell

sdk/identity/azure-identity/tests/test_client_secret_credential.py

@@ -2,9 +2,12 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 # ------------------------------------
+import time
+
+from azure.core.credentials import AccessToken
 from azure.core.pipeline.policies import ContentDecodePolicy, SansIOHTTPPolicy
 from azure.identity import ClientSecretCredential
-from helpers import build_aad_response, mock_response
+from helpers import build_aad_response, mock_response, Request, validating_transport
 
 try:
     from unittest.mock import Mock
@@ -26,3 +29,65 @@ def test_policies_configurable():
     credential.get_token("scope")
 
     assert policy.on_request.called
+
+
+def test_client_secret_credential():
+    client_id = "fake-client-id"
+    secret = "fake-client-secret"
+    tenant_id = "fake-tenant-id"
+    access_token = "***"
+
+    transport = validating_transport(
+        requests=[Request(url_substring=tenant_id, required_data={"client_id": client_id, "client_secret": secret})],
+        responses=[
+            mock_response(
+                json_payload={
+                    "token_type": "Bearer",
+                    "expires_in": 42,
+                    "ext_expires_in": 42,
+                    "access_token": access_token,
+                }
+            )
+        ],
+    )
+
+    token = ClientSecretCredential(tenant_id, client_id, secret, transport=transport).get_token("scope")
+
+    # not validating expires_on because doing so requires monkeypatching time, and this is tested elsewhere
+    assert token.token == access_token
+
+
+def test_cache():
+    expired = "this token's expired"
+    now = int(time.time())
+    expired_on = now - 3600
+    expired_token = AccessToken(expired, expired_on)
+    token_payload = {
+        "access_token": expired,
+        "expires_in": 0,
+        "ext_expires_in": 0,
+        "expires_on": expired_on,
+        "not_before": now,
+        "token_type": "Bearer",
+    }
+    mock_send = Mock(return_value=mock_response(json_payload=token_payload))
+    scope = "scope"
+
+    credential = ClientSecretCredential(
+        tenant_id="some-guid", client_id="client_id", client_secret="secret", transport=Mock(send=mock_send)
+    )
+
+    # get_token initially returns the expired token because the credential
+    # doesn't check whether tokens it receives from the service have expired
+    token = credential.get_token(scope)
+    assert token == expired_token
+
+    access_token = "new token"
+    token_payload["access_token"] = access_token
+    token_payload["expires_on"] = now + 3600
+    valid_token = AccessToken(access_token, now + 3600)
+
+    # second call should observe the cached token has expired, and request another
+    token = credential.get_token(scope)
+    assert token == valid_token
+    assert mock_send.call_count == 2

sdk/identity/azure-identity/tests/test_client_secret_credential_async.py

@@ -2,17 +2,17 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 # ------------------------------------
+import asyncio
+import time
+from unittest.mock import Mock
+
+from azure.core.credentials import AccessToken
 from azure.core.pipeline.policies import ContentDecodePolicy, SansIOHTTPPolicy
 from azure.identity.aio import ClientSecretCredential
-from helpers import build_aad_response, mock_response
+from helpers import async_validating_transport, build_aad_response, mock_response, Request
 
 import pytest
 
-try:
-    from unittest.mock import Mock
-except ImportError:  # python < 3.3
-    from mock import Mock  # type: ignore
-
 
 @pytest.mark.asyncio
 async def test_policies_configurable():
@@ -28,3 +28,68 @@ async def send(*_, **__):
     await credential.get_token("scope")
 
     assert policy.on_request.called
+
+
+@pytest.mark.asyncio
+async def test_client_secret_credential():
+    client_id = "fake-client-id"
+    secret = "fake-client-secret"
+    tenant_id = "fake-tenant-id"
+    access_token = "***"
+
+    transport = async_validating_transport(
+        requests=[Request(url_substring=tenant_id, required_data={"client_id": client_id, "client_secret": secret})],
+        responses=[
+            mock_response(
+                json_payload={
+                    "token_type": "Bearer",
+                    "expires_in": 42,
+                    "ext_expires_in": 42,
+                    "access_token": access_token,
+                }
+            )
+        ],
+    )
+
+    token = await ClientSecretCredential(
+        tenant_id=tenant_id, client_id=client_id, client_secret=secret, transport=transport
+    ).get_token("scope")
+
+    # not validating expires_on because doing so requires monkeypatching time, and this is tested elsewhere
+    assert token.token == access_token
+
+
+@pytest.mark.asyncio
+async def test_cache():
+    expired = "this token's expired"
+    now = int(time.time())
+    expired_on = now - 3600
+    expired_token = AccessToken(expired, expired_on)
+    token_payload = {
+        "access_token": expired,
+        "expires_in": 0,
+        "ext_expires_in": 0,
+        "expires_on": expired_on,
+        "not_before": now,
+        "token_type": "Bearer",
+    }
+    mock_send = Mock(return_value=mock_response(json_payload=token_payload))
+    transport = Mock(send=asyncio.coroutine(mock_send))
+    scope = "scope"
+
+    credential = ClientSecretCredential("tenant-id", "client-id", "secret", transport=transport)
+
+    # get_token initially returns the expired token because the credential
+    # doesn't check whether tokens it receives from the service have expired
+    token = await credential.get_token(scope)
+    assert token == expired_token
+
+    access_token = "new token"
+    token_payload["access_token"] = access_token
+    token_payload["expires_on"] = now + 3600
+    valid_token = AccessToken(access_token, now + 3600)
+
+    # second call should observe the cached token has expired, and request another
+    token = await credential.get_token(scope)
+    assert token == valid_token
+    assert mock_send.call_count == 2

sdk/identity/azure-identity/tests/test_device_code_credential.py

@@ -2,8 +2,13 @@
 # Copyright (c) Microsoft Corporation.
 # Licensed under the MIT License.
 # ------------------------------------
-from azure.core.pipeline.policies import ContentDecodePolicy, SansIOHTTPPolicy
+import datetime
+
+from azure.core.exceptions import ClientAuthenticationError
+from azure.core.pipeline.policies import SansIOHTTPPolicy
 from azure.identity import DeviceCodeCredential
+import pytest
+
 from helpers import build_aad_response, get_discovery_response, mock_response, Request, validating_transport
 
 try:
@@ -39,3 +44,76 @@ def test_policies_configurable():
     credential.get_token("scope")
 
     assert policy.on_request.called
+
+
+def test_device_code_credential():
+    expected_token = "access-token"
+    user_code = "user-code"
+    verification_uri = "verification-uri"
+    expires_in = 42
+
+    transport = validating_transport(
+        requests=[Request()] * 3,  # not validating requests because they're formed by MSAL
+        responses=[
+            # expected requests: discover tenant, start device code flow, poll for completion
+            mock_response(json_payload={"authorization_endpoint": "https://a/b", "token_endpoint": "https://a/b"}),
+            mock_response(
+                json_payload={
+                    "device_code": "_",
+                    "user_code": user_code,
+                    "verification_uri": verification_uri,
+                    "expires_in": expires_in,
+                }
+            ),
+            mock_response(
+                json_payload={
+                    "access_token": expected_token,
+                    "expires_in": expires_in,
+                    "scope": "scope",
+                    "token_type": "Bearer",
+                    "refresh_token": "_",
+                }
+            ),
+        ],
+    )
+
+    callback = Mock()
+    credential = DeviceCodeCredential(
+        client_id="_", prompt_callback=callback, transport=transport, instance_discovery=False
+    )
+
+    now = datetime.datetime.utcnow()
+    token = credential.get_token("scope")
+    assert token.token == expected_token
+
+    # prompt_callback should have been called as documented
+    assert callback.call_count == 1
+    uri, code, expires_on = callback.call_args[0]
+    assert uri == verification_uri
+    assert code == user_code
+
+    # validating expires_on exactly would require depending on internals of the credential and
+    # patching time, so we'll be satisfied if expires_on is a datetime at least expires_in
+    # seconds later than our call to get_token
+    assert isinstance(expires_on, datetime.datetime)
+    assert expires_on - now >= datetime.timedelta(seconds=expires_in)
+
+
+def test_timeout():
+    transport = validating_transport(
+        requests=[Request()] * 3,  # not validating requests because they're formed by MSAL
+        responses=[
+            # expected requests: discover tenant, start device code flow, poll for completion
+            mock_response(json_payload={"authorization_endpoint": "https://a/b", "token_endpoint": "https://a/b"}),
+            mock_response(json_payload={"device_code": "_", "user_code": "_", "verification_uri": "_"}),
+            mock_response(json_payload={"error": "authorization_pending"}),
+        ],
+    )
+
+    credential = DeviceCodeCredential(
+        client_id="_", prompt_callback=Mock(), transport=transport, timeout=0.01, instance_discovery=False
+    )
+
+    with pytest.raises(ClientAuthenticationError) as ex:
+        credential.get_token("scope")
+    assert "timed out" in ex.value.message.lower()