From b2043faf389aa11d775c6535163a5d9df31761a1 Mon Sep 17 00:00:00 2001 From: Paul Van Eck Date: Fri, 13 Sep 2024 15:53:38 -0700 Subject: [PATCH] [Identity] Update instance discovery error message (#36932) Signed-off-by: Paul Van Eck --- .../identity/_internal/msal_credentials.py | 33 ++++++++++++------- .../tests/test_instance_discovery.py | 24 ++++++++++++++ 2 files changed, 45 insertions(+), 12 deletions(-) diff --git a/sdk/identity/azure-identity/azure/identity/_internal/msal_credentials.py b/sdk/identity/azure-identity/azure/identity/_internal/msal_credentials.py index 13587de59645..0747a571a375 100644 --- a/sdk/identity/azure-identity/azure/identity/_internal/msal_credentials.py +++ b/sdk/identity/azure-identity/azure/identity/_internal/msal_credentials.py @@ -32,7 +32,7 @@ def __init__( disable_instance_discovery: Optional[bool] = None, tenant_id: Optional[str] = None, enable_support_logging: Optional[bool] = None, - **kwargs: Any + **kwargs: Any, ) -> None: self._instance_discovery = None if disable_instance_discovery is None else not disable_instance_discovery self._authority = normalize_authority(authority) if authority else get_default_authority() @@ -104,17 +104,26 @@ def _get_app(self, **kwargs: Any) -> msal.ClientApplication: token_cache = self._initialize_cache(is_cae=bool(kwargs.get("enable_cae"))) if tenant_id not in client_applications_map: - client_applications_map[tenant_id] = app_class( - client_id=self._client_id, - client_credential=self._client_credential, - client_capabilities=capabilities, - authority="{}/{}".format(self._authority, tenant_id), - azure_region=self._regional_authority, - token_cache=token_cache, - http_client=self._client, - instance_discovery=self._instance_discovery, - enable_pii_log=self._enable_support_logging, - ) + try: + client_applications_map[tenant_id] = app_class( + client_id=self._client_id, + client_credential=self._client_credential, + client_capabilities=capabilities, + authority="{}/{}".format(self._authority, tenant_id), + azure_region=self._regional_authority, + token_cache=token_cache, + http_client=self._client, + instance_discovery=self._instance_discovery, + enable_pii_log=self._enable_support_logging, + ) + except ValueError as ex: + if "invalid_instance" in str(ex): + raise ValueError( # pylint: disable=raise-missing-from + f"The authority provided, {self._authority}, is not well-known. If this authority is valid " + "and trustworthy, you can disable this check by passing in " + "'disable_instance_discovery=True' when constructing the credential." + ) + raise return client_applications_map[tenant_id] diff --git a/sdk/identity/azure-identity/tests/test_instance_discovery.py b/sdk/identity/azure-identity/tests/test_instance_discovery.py index 1e897d26a246..666af9d4f28a 100644 --- a/sdk/identity/azure-identity/tests/test_instance_discovery.py +++ b/sdk/identity/azure-identity/tests/test_instance_discovery.py @@ -2,7 +2,10 @@ # Copyright (c) Microsoft Corporation. # Licensed under the MIT License. # ------------------------------------ +import pytest + from azure.identity._internal.msal_credentials import MsalCredential +from azure.core.exceptions import ServiceRequestError def test_instance_discovery(): @@ -19,3 +22,24 @@ def test_instance_discovery(): ) app = credential._get_app() assert app._instance_discovery + + +def test_unknown_authority(): + credential = MsalCredential( + client_id="CLIENT_ID", + authority="unknown.authority", + ) + with pytest.raises(ValueError) as ex: + credential._get_app() + assert "disable_instance_discovery" in str(ex) + + credential = MsalCredential( + client_id="CLIENT_ID", + authority="unknown.authority", + disable_instance_discovery=True, + ) + + with pytest.raises(ServiceRequestError): + # Instance discovery is disabled, so the credential should not attempt to validate the authority, and instead + # attempt to use the authority as given. This is fail since unknown.authority is not resolvable. + credential._get_app()