diff --git a/.github/actions/env-setup/action.yml b/.github/actions/env-setup/action.yml index 19d40dd7084..ea5e321e463 100644 --- a/.github/actions/env-setup/action.yml +++ b/.github/actions/env-setup/action.yml @@ -24,7 +24,7 @@ runs: - name: Install azdev shell: bash run: | - python -m pip install --upgrade pip + python -m pip install --upgrade pip "setuptools>=78" set -ev python -m venv env chmod +x env/bin/activate diff --git a/src/azure-cli-core/azure/cli/core/_profile.py b/src/azure-cli-core/azure/cli/core/_profile.py index de0c8efe70f..ab68157f4a8 100644 --- a/src/azure-cli-core/azure/cli/core/_profile.py +++ b/src/azure-cli-core/azure/cli/core/_profile.py @@ -970,8 +970,10 @@ def _create_identity_instance(cli_ctx, authority, tenant_id=None, client_id=None # On Windows, use core.enable_broker_on_windows=false to disable broker (WAM) for authentication. enable_broker_on_windows = cli_ctx.config.getboolean('core', 'enable_broker_on_windows', fallback=True) + # On macOS, broker authentication is opt-in. Use core.enable_broker_on_mac=true to enable it. + enable_broker_on_mac = cli_ctx.config.getboolean('core', 'enable_broker_on_mac', fallback=False) from .telemetry import set_broker_info - set_broker_info(enable_broker_on_windows) + set_broker_info(enable_broker_on_windows, enable_broker_on_mac) # PREVIEW: In Azure Stack environment, use core.instance_discovery=false to disable MSAL's instance discovery. instance_discovery = cli_ctx.config.getboolean('core', 'instance_discovery', True) @@ -980,4 +982,5 @@ def _create_identity_instance(cli_ctx, authority, tenant_id=None, client_id=None encrypt=encrypt, use_msal_http_cache=use_msal_http_cache, enable_broker_on_windows=enable_broker_on_windows, + enable_broker_on_mac=enable_broker_on_mac, instance_discovery=instance_discovery) diff --git a/src/azure-cli-core/azure/cli/core/auth/identity.py b/src/azure-cli-core/azure/cli/core/auth/identity.py index 91629e89441..b2c04043277 100644 --- a/src/azure-cli-core/azure/cli/core/auth/identity.py +++ b/src/azure-cli-core/azure/cli/core/auth/identity.py @@ -58,7 +58,7 @@ class Identity: # pylint: disable=too-many-instance-attributes _service_principal_store_instance = None def __init__(self, authority, tenant_id=None, client_id=None, encrypt=False, use_msal_http_cache=True, - enable_broker_on_windows=None, instance_discovery=None): + enable_broker_on_windows=None, enable_broker_on_mac=None, instance_discovery=None): """ :param authority: Authentication authority endpoint. For example, - AAD: https://login.microsoftonline.com @@ -74,6 +74,7 @@ def __init__(self, authority, tenant_id=None, client_id=None, encrypt=False, use self._encrypt = encrypt self._use_msal_http_cache = use_msal_http_cache self._enable_broker_on_windows = enable_broker_on_windows + self._enable_broker_on_mac = enable_broker_on_mac self._instance_discovery = instance_discovery # Build the authority in MSAL style @@ -111,9 +112,10 @@ def _msal_app_kwargs(self): @property def _msal_public_app_kwargs(self): """kwargs for creating PublicClientApplication.""" - # enable_broker_on_windows can only be used on PublicClientApplication. + # enable_broker_on_windows and enable_broker_on_mac can only be used on PublicClientApplication. return {**self._msal_app_kwargs, "enable_broker_on_windows": self._enable_broker_on_windows, + "enable_broker_on_mac": self._enable_broker_on_mac, "enable_pii_log": True} @property diff --git a/src/azure-cli-core/azure/cli/core/telemetry.py b/src/azure-cli-core/azure/cli/core/telemetry.py index aeb06ba35f2..9de515d7e7e 100644 --- a/src/azure-cli-core/azure/cli/core/telemetry.py +++ b/src/azure-cli-core/azure/cli/core/telemetry.py @@ -77,6 +77,7 @@ def __init__(self, correlation_id=None, application=None): self.user_agent = None # authentication-related self.enable_broker_on_windows = None + self.enable_broker_on_mac = None self.msal_telemetry = None self.login_experience_v2 = None @@ -237,6 +238,7 @@ def _get_azure_cli_properties(self): set_custom_properties(result, 'SecretNames', ','.join(self.secret_names or [])) # authentication-related set_custom_properties(result, 'EnableBrokerOnWindows', str(self.enable_broker_on_windows)) + set_custom_properties(result, 'EnableBrokerOnMac', str(self.enable_broker_on_mac)) set_custom_properties(result, 'MsalTelemetry', self.msal_telemetry) set_custom_properties(result, 'LoginExperienceV2', str(self.login_experience_v2)) @@ -483,9 +485,10 @@ def set_region_identified(region_input, region_identified): # region authentication-related @decorators.suppress_all_exceptions() -def set_broker_info(enable_broker_on_windows): - # Log the value of `enable_broker_on_windows` +def set_broker_info(enable_broker_on_windows, enable_broker_on_mac=None): + # Log the value of `enable_broker_on_windows` and `enable_broker_on_mac` _session.enable_broker_on_windows = enable_broker_on_windows + _session.enable_broker_on_mac = enable_broker_on_mac @decorators.suppress_all_exceptions() diff --git a/src/azure-cli-core/azure/cli/core/tests/test_profile.py b/src/azure-cli-core/azure/cli/core/tests/test_profile.py index bef9b67a39c..e6effc818d2 100644 --- a/src/azure-cli-core/azure/cli/core/tests/test_profile.py +++ b/src/azure-cli-core/azure/cli/core/tests/test_profile.py @@ -11,7 +11,7 @@ from copy import deepcopy from unittest import mock -from azure.cli.core._profile import (Profile, SubscriptionFinder, _attach_token_tenant, +from azure.cli.core._profile import (Profile, SubscriptionFinder, _attach_token_tenant, _create_identity_instance, _transform_subscription_for_multiapi, _TENANT_LEVEL_ACCOUNT_NAME) from azure.cli.core.auth.util import AccessToken @@ -1396,6 +1396,28 @@ def test_logout_all(self, logout_all_users_mock, logout_all_service_principal_mo logout_all_users_mock.assert_called_once() logout_all_service_principal_mock.assert_called_once() + @mock.patch('azure.cli.core.auth.identity.Identity', autospec=True) + def test_create_identity_instance_broker_on_mac_default_opt_in(self, identity_mock): + # Verify that broker on macOS is opt-in: default is False unless user sets + # core.enable_broker_on_mac=true. See CLIPS#55. + cli = DummyCli() + _create_identity_instance(cli, authority='https://login.microsoftonline.com') + _, kwargs = identity_mock.call_args + self.assertEqual(kwargs['enable_broker_on_mac'], False) + # Windows broker remains opt-out (default True). + self.assertEqual(kwargs['enable_broker_on_windows'], True) + + @mock.patch('azure.cli.core.auth.identity.Identity', autospec=True) + def test_create_identity_instance_broker_on_mac_opt_in_enabled(self, identity_mock): + cli = DummyCli() + cli.config.set_value('core', 'enable_broker_on_mac', 'true') + try: + _create_identity_instance(cli, authority='https://login.microsoftonline.com') + finally: + cli.config.remove_option('core', 'enable_broker_on_mac') + _, kwargs = identity_mock.call_args + self.assertEqual(kwargs['enable_broker_on_mac'], True) + @mock.patch('azure.cli.core._profile.SubscriptionFinder._create_subscription_client', autospec=True) @mock.patch('azure.cli.core.auth.identity.Identity.get_user_credential', autospec=True) def test_refresh_accounts_one_user_account(self, get_user_credential_mock, create_subscription_client_mock): diff --git a/src/azure-cli-core/setup.py b/src/azure-cli-core/setup.py index 2fb150f0aa9..a663bfa581c 100644 --- a/src/azure-cli-core/setup.py +++ b/src/azure-cli-core/setup.py @@ -55,8 +55,8 @@ 'knack~=0.11.0', 'microsoft-security-utilities-secret-masker~=1.0.0b4', 'msal-extensions==1.3.1', - 'msal[broker]==1.35.1; sys_platform == "win32"', - 'msal==1.35.1; sys_platform != "win32"', + 'msal[broker]==1.35.1; sys_platform == "win32" or sys_platform == "darwin"', + 'msal==1.35.1; sys_platform != "win32" and sys_platform != "darwin"', 'packaging>=20.9', 'pkginfo>=1.5.0.1', # psutil can't install on cygwin: https://github.com/Azure/azure-cli/issues/9399 diff --git a/src/azure-cli/requirements.py3.MacOS.txt b/src/azure-cli/requirements.py3.MacOS.txt new file mode 100644 index 00000000000..e24d6f47987 --- /dev/null +++ b/src/azure-cli/requirements.py3.MacOS.txt @@ -0,0 +1,138 @@ +antlr4-python3-runtime==4.13.1 +applicationinsights==0.11.9 +argcomplete==3.5.2 +asn1crypto==0.24.0 +azure-appconfiguration==1.7.2 +azure-batch==15.0.0b1 +azure-cli-core==2.84.0 +azure-cli-telemetry==1.1.0 +azure-cli==2.84.0 +azure-common==1.1.22 +azure-core==1.38.0 +azure-cosmos==3.2.0 +azure-data-tables==12.4.0 +azure-datalake-store==1.0.1 +azure-keyvault-administration==4.4.0 +azure-keyvault-certificates==4.7.0 +azure-keyvault-keys==4.11.0 +azure-keyvault-secrets==4.7.0 +azure-keyvault-securitydomain==1.0.0b1 +azure-mgmt-advisor==9.0.0 +azure-mgmt-apimanagement==4.0.0 +azure-mgmt-appconfiguration==6.0.0b1 +azure-mgmt-appcontainers==2.0.0 +azure-mgmt-applicationinsights==1.0.0 +azure-mgmt-authorization==5.0.0b1 +azure-mgmt-batch==17.3.0 +azure-mgmt-batchai==7.0.0b1 +azure-mgmt-billing==6.0.0 +azure-mgmt-botservice==2.0.0b3 +azure-mgmt-cdn==12.0.0 +azure-mgmt-cognitiveservices==14.1.0 +azure-mgmt-compute==34.1.0 +azure-mgmt-containerinstance==10.2.0b1 +azure-mgmt-containerregistry==14.1.0b1 +azure-mgmt-containerservice==40.2.0 +azure-mgmt-core==1.6.0 +azure-mgmt-cosmosdb==9.9.0 +azure-mgmt-datalake-nspkg==3.0.1 +azure-mgmt-datalake-store==1.1.0b1 +azure-mgmt-datamigration==10.0.0 +azure-mgmt-eventgrid==10.2.0b2 +azure-mgmt-eventhub==12.0.0b1 +azure-mgmt-extendedlocation==1.0.0b2 +azure-mgmt-hdinsight==9.1.0b2 +azure-mgmt-imagebuilder==1.3.0 +azure-mgmt-iotcentral==10.0.0b1 +azure-mgmt-iothub==5.0.0b1 +azure-mgmt-iothubprovisioningservices==1.1.0 +azure-mgmt-keyvault==13.0.0 +azure-mgmt-loganalytics==13.0.0b4 +azure-mgmt-managementgroups==1.0.0 +azure-mgmt-maps==2.0.0 +azure-mgmt-marketplaceordering==1.1.0 +azure-mgmt-media==9.0.0 +azure-mgmt-monitor==7.0.0b1 +azure-mgmt-msi==7.1.0 +azure-mgmt-netapp==10.1.0 +azure-mgmt-policyinsights==1.1.0b4 +azure-mgmt-postgresqlflexibleservers==3.0.0b1 +azure-mgmt-privatedns==1.0.0 +azure-mgmt-rdbms==10.2.0b17 +azure-mgmt-mysqlflexibleservers==1.1.0b2 +azure-mgmt-recoveryservices==4.0.0 +azure-mgmt-recoveryservicesbackup==9.2.0 +azure-mgmt-redhatopenshift~=3.0.0 +azure-mgmt-redis==14.5.0 +azure-mgmt-resource==24.0.0 +azure-mgmt-resource-deployments==1.0.0b1 +azure-mgmt-resource-deploymentscripts==1.0.0b1 +azure-mgmt-resource-deploymentstacks==1.0.0 +azure-mgmt-resource-templatespecs==1.0.0b1 +azure-mgmt-search==9.0.0 +azure-mgmt-security==6.0.0 +azure-mgmt-servicebus==10.0.0b1 +azure-mgmt-servicefabric==2.1.0 +azure-mgmt-servicefabricmanagedclusters==2.1.0b1 +azure-mgmt-servicelinker==1.2.0b3 +azure-mgmt-sql==4.0.0b22 +azure-mgmt-signalr==2.0.0b2 +azure-mgmt-sqlvirtualmachine==1.0.0b5 +azure-mgmt-storage==24.0.0 +azure-mgmt-synapse==2.1.0b5 +azure-mgmt-trafficmanager==1.0.0 +azure-mgmt-web==9.0.0 +azure-monitor-query==1.2.0 +azure-nspkg==3.0.2 +azure-storage-common==1.4.2 +azure-storage-blob==12.28.0b1 +azure-storage-file-datalake==12.23.0b1 +azure-storage-file-share==12.24.0b1 +azure-storage-queue==12.15.0b1 +azure-synapse-accesscontrol==0.5.0 +azure-synapse-artifacts==0.21.0 +azure-synapse-managedprivateendpoints==0.4.0 +azure-synapse-spark==0.7.0 +bcrypt==3.2.0 +certifi==2024.7.4 +cffi==2.0.0 +chardet==5.2.0 +colorama==0.4.6 +cryptography==44.0.1 +fabric==3.2.2 +humanfriendly==10.0 +idna==3.7 +invoke==2.2.0 +isodate==0.6.1 +javaproperties==0.5.1 +jmespath==0.9.5 +jsondiff==2.0.0 +knack==0.11.0 +msal-extensions==1.2.0 +msal[broker]==1.35.0b1 +msrest==0.7.1 +oauthlib==3.2.2 +packaging==25.0 +paramiko==3.5.0 +pbr==7.0.3 +pkginfo==1.8.2 +portalocker==2.3.2 +psutil==6.1.0 +pycomposefile==0.0.34 +PyGithub==1.55 +PyJWT==2.10.1 +PyNaCl==1.6.2 +pyOpenSSL==25.0.0 +PySocks==1.7.1 +python-dateutil==2.8.0 +requests-oauthlib==1.2.0 +requests==2.32.4 +scp==0.13.2 +semver==3.0.4 +six==1.16.0 +sshtunnel==0.1.5 +tabulate==0.8.9 +urllib3==2.6.3 +wcwidth==0.1.7 +websocket-client==1.8.0 +xmltodict==0.12.0