Setup azfed credential provider in extension code for client testing (#1378)

* Setup azfed credential provider in extension code for client testing

* Add the old validation code for serviceConnection properties

* Apply suggestion from @Copilot

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Nathan Turinski <naturins@microsoft.comm>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: 3 people

src/services/AzureDevOpsSubscriptionProvider.ts

@@ -0,0 +1,56 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.md in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+import type { AzureSubscriptionProvider } from "@microsoft/vscode-azext-azureauth";
+import type { AzureDevOpsSubscriptionProviderInitializer } from "@microsoft/vscode-azext-azureauth/azdo";
+
+/**
+ * Reads Azure DevOps federated credential configuration from environment variables
+ * and returns a factory that creates an {@link AzureDevOpsSubscriptionProvider}.
+ *
+ * Expected environment variables (set by the shared pipeline template in `vscode-azuretools`):
+ * - `AzCode_ServiceConnectionID` — the resource ID of the ADO federated service connection
+ * - `AzCode_ServiceConnectionDomain` — the tenant ID of the service connection
+ * - `AzCode_ServiceConnectionClientID` — the service principal (application client) ID
+ *
+ * The factory also calls `signIn()` on the first invocation so the provider is
+ * ready to use immediately.
+ */
+export function createAzureDevOpsSubscriptionProviderFactory(): () => Promise<AzureSubscriptionProvider> {
+    const serviceConnectionId: string | undefined = process.env['AzCode_ServiceConnectionID'];
+    const tenantId: string | undefined = process.env['AzCode_ServiceConnectionDomain'];
+    const clientId: string | undefined = process.env['AzCode_ServiceConnectionClientID'];
+
+    if (!serviceConnectionId || !tenantId || !clientId) {
+        throw new Error(`Using Azure DevOps federated credentials, but federated service connection is not configured\n
+                            process.env.AzCode_ServiceConnectionID: ${serviceConnectionId ? "✅" : "❌"}\n
+                            process.env.AzCode_ServiceConnectionDomain: ${tenantId ? "✅" : "❌"}\n
+                            process.env.AzCode_ServiceConnectionClientID: ${clientId ? "✅" : "❌"}\n
+                        `);
+    }
+
+    const initializer: AzureDevOpsSubscriptionProviderInitializer = {
+        serviceConnectionId,
+        tenantId,
+        clientId,
+    };
+
+    let providerPromise: Promise<AzureSubscriptionProvider> | undefined;
+
+    return () => {
+        providerPromise ??= (async () => {
+            // Dynamic import so the AzDO-specific module (and its @azure/identity dependency)
+            // is only loaded when federated credentials are actually in use.
+            const { AzureDevOpsSubscriptionProvider } = await import("@microsoft/vscode-azext-azureauth/azdo");
+            const provider = new AzureDevOpsSubscriptionProvider(initializer);
+            const signedIn = await provider.signIn();
+            if (!signedIn) {
+                throw new Error("Azure DevOps sign-in failed during subscription provider initialization.");
+            }
+            return provider;
+        })();
+        return providerPromise;
+    };
+}

src/services/getSubscriptionProviderFactory.ts

@@ -4,14 +4,23 @@
  *--------------------------------------------------------------------------------------------*/
 
 import type { AzureSubscriptionProvider } from "@microsoft/vscode-azext-azureauth";
+import { createAzureDevOpsSubscriptionProviderFactory } from "./AzureDevOpsSubscriptionProvider";
 import { createVSCodeAzureSubscriptionProviderFactory } from "./VSCodeAzureSubscriptionProvider";
 
 /**
  * Returns a factory function that creates a subscription provider, satisfying the `AzureSubscriptionProvider` interface.
  *
- * For nightly tests that require Azure DevOps federated credentials, use the test API to set
- * `ext.testing.overrideAzureSubscriptionProvider` with an AzDO provider factory instead.
+ * When running in an Azure DevOps pipeline with federated credentials enabled
+ * (via the `AzCode_UseAzureFederatedCredentials` environment variable), this returns an
+ * {@link AzureDevOpsSubscriptionProvider}-based factory so that client extensions that depend
+ * on the Resources extension API also get the correct subscription provider without needing
+ * to set it up themselves.
  */
 export function getSubscriptionProviderFactory(): () => Promise<AzureSubscriptionProvider> {
+    const useAzureFederatedCredentials = !/^(false|0)?$/i.test(process.env['AzCode_UseAzureFederatedCredentials'] || '');
+    if (useAzureFederatedCredentials) {
+        return createAzureDevOpsSubscriptionProviderFactory();
+    }
+
     return createVSCodeAzureSubscriptionProviderFactory();
 }

test/nightly/global.nightly.test.ts

@@ -5,7 +5,6 @@
 
 import * as vscode from 'vscode';
 import { longRunningTestsEnabled } from '../global.test';
-import { setupAzureDevOpsSubscriptionProvider } from '../utils/azureDevOpsSubscriptionProvider';
 
 export const resourceGroupsToDelete: string[] = [];
 
@@ -14,11 +13,6 @@ suiteSetup(async function (this: Mocha.Context): Promise<void> {
     if (longRunningTestsEnabled) {
         this.timeout(2 * 60 * 1000);
 
-        // Set up Azure DevOps subscription provider for federated credentials
-        const useAzureFederatedCredentials: boolean = !/^(false|0)?$/i.test(process.env['AzCode_UseAzureFederatedCredentials'] || '');
-        if (useAzureFederatedCredentials) {
-            await setupAzureDevOpsSubscriptionProvider();
-        }
 
         await vscode.commands.executeCommand('azureResourceGroups.logIn');
     }

test/utils/azureDevOpsSubscriptionProvider.ts

@@ -1,57 +1,23 @@
 /*---------------------------------------------------------------------------------------------
  *  Copyright (c) Microsoft Corporation. All rights reserved.
- *  Licensed under the MIT License. See LICENSE.md in the project root for license information.
+ *  Licensed under the MIT License. See License.md in the project root for license information.
  *--------------------------------------------------------------------------------------------*/
 
+import { createAzureDevOpsSubscriptionProviderFactory } from "../../src/services/AzureDevOpsSubscriptionProvider";
 import { getCachedTestApi } from "./testApiAccess";
 
 /**
- * Sets up the Azure DevOps subscription provider for nightly tests.
- * This reads credentials from environment variables and configures the test API override.
+ * Re-establishes the Azure DevOps subscription provider via the test API.
  *
- * Required environment variables:
- * - AzCode_ServiceConnectionID: The Azure DevOps service connection ID
- * - AzCode_ServiceConnectionDomain: The tenant/domain ID
- * - AzCode_ServiceConnectionClientID: The client ID for authentication
- *
- * @throws Error if any required environment variables are missing
+ * The primary AzDO provider setup now happens at extension activation time
+ * (see {@link getSubscriptionProviderFactory}). This helper is only needed in test
+ * suites that first clear overrides (e.g. after mock-based tests) and need to
+ * restore the AzDO provider for subsequent integration tests.
  */
 export async function setupAzureDevOpsSubscriptionProvider(): Promise<void> {
-    const serviceConnectionId: string | undefined = process.env['AzCode_ServiceConnectionID'];
-    const domain: string | undefined = process.env['AzCode_ServiceConnectionDomain'];
-    const clientId: string | undefined = process.env['AzCode_ServiceConnectionClientID'];
-
-    if (!serviceConnectionId || !domain || !clientId) {
-        throw new Error(`Using Azure DevOps federated credentials, but federated service connection is not configured\n
-                            process.env.AzCode_ServiceConnectionID: ${serviceConnectionId ? "✅" : "❌"}\n
-                            process.env.AzCode_ServiceConnectionDomain: ${domain ? "✅" : "❌"}\n
-                            process.env.AzCode_ServiceConnectionClientID: ${clientId ? "✅" : "❌"}\n
-                        `);
-    }
-
-    // Dynamic import to avoid loading AzDO dependencies unless actually needed
-    const { createAzureDevOpsSubscriptionProviderFactory } = await import("@microsoft/vscode-azext-azureauth/azdo");
-
-    const initializer = {
-        serviceConnectionId,
-        tenantId: domain,
-        clientId,
-    };
-
-    const factory = createAzureDevOpsSubscriptionProviderFactory(initializer);
-
-    // Create the provider instance now so we can return it synchronously
+    const factory = createAzureDevOpsSubscriptionProviderFactory();
     const provider = await factory();
 
-    // Sign in to establish the token credential.
-    // This must be done before the provider can return subscriptions.
-    const signedIn = await provider.signIn();
-
-    if (!signedIn) {
-        throw new Error('Failed to sign in with Azure DevOps federated credentials');
-    }
-
-    // Set the override via the test API
     const testApi = getCachedTestApi();
     testApi.testing.setOverrideAzureSubscriptionProvider(() => provider);
 }