Adding Credential Probe logic #5116
+537
−19
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System; | ||
| using System.Net.Http; | ||
| using Microsoft.Identity.Client.Core; | ||
| using Microsoft.Identity.Client.Internal; | ||
|
|
||
| namespace Microsoft.Identity.Client.ManagedIdentity | ||
| { | ||
| internal class CredentialManagedIdentitySource : AbstractManagedIdentity | ||
|
There was a problem hiding this comment. nit: maybe we just call it SLC or MSIv2 ? Credential is such an overloaded term. There was a problem hiding this comment. In fact, should it be |
||
| { | ||
| /// <summary> | ||
| /// Factory method to create an instance of `CredentialManagedIdentitySource`. | ||
| /// </summary> | ||
| public static AbstractManagedIdentity Create(RequestContext requestContext) | ||
| { | ||
| requestContext.Logger.Info(() => "[Managed Identity] Using credential based managed identity."); | ||
|
|
||
| return new CredentialManagedIdentitySource(requestContext); | ||
| } | ||
|
|
||
| private CredentialManagedIdentitySource(RequestContext requestContext) : | ||
| base(requestContext, ManagedIdentitySource.Credential) | ||
| { | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Even though the Credential flow does not use this request, we need to satisfy the abstract contract. | ||
| /// Return a minimal, valid ManagedIdentityRequest using the fixed credential endpoint. | ||
| /// </summary> | ||
| /// <param name="resource">The resource identifier (ignored in this flow).</param> | ||
| /// <returns>A ManagedIdentityRequest instance using the credential endpoint.</returns> | ||
| protected override ManagedIdentityRequest CreateRequest(string resource) | ||
| { | ||
| // Return a minimal request with the fixed credential endpoint. | ||
| return new ManagedIdentityRequest( | ||
| HttpMethod.Post, | ||
| new Uri("http://169.254.169.254/metadata/identity/credential?cred-api-version=1.0")); | ||
| } | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,106 @@ | ||
| // Copyright (c) Microsoft Corporation. All rights reserved. | ||
| // Licensed under the MIT License. | ||
|
|
||
| using System; | ||
| using System.Net; | ||
| using System.Net.Http; | ||
| using System.Threading; | ||
| using System.Threading.Tasks; | ||
| using Microsoft.Identity.Client.Core; | ||
| using Microsoft.Identity.Client.Http; | ||
|
|
||
| namespace Microsoft.Identity.Client.ManagedIdentity | ||
| { | ||
| internal class ImdsCredentialProbeManager | ||
| { | ||
| private const string CredentialEndpoint = "http://169.254.169.254/metadata/identity/credential"; | ||
| private const string ProbeBody = "."; | ||
| private const string ImdsHeader = "IMDS/"; | ||
| private readonly IHttpManager _httpManager; | ||
| private readonly ILoggerAdapter _logger; | ||
|
|
||
| public ImdsCredentialProbeManager(IHttpManager httpManager, ILoggerAdapter logger) | ||
| { | ||
| _httpManager = httpManager ?? throw new ArgumentNullException(nameof(httpManager)); | ||
| _logger = logger ?? throw new ArgumentNullException(nameof(logger)); | ||
| } | ||
|
|
||
| public async Task<bool> ExecuteAsync(CancellationToken cancellationToken = default) | ||
| { | ||
| _logger.Info("[Credential Probe] Initiating probe to IMDS credential endpoint."); | ||
|
|
||
| var request = new ManagedIdentityRequest(HttpMethod.Post, new Uri($"{CredentialEndpoint}?cred-api-version=1.0")) | ||
| { | ||
| Content = ProbeBody | ||
| }; | ||
|
|
||
| HttpContent httpContent = request.CreateHttpContent(); | ||
|
|
||
| _logger.Info($"[Credential Probe] Sending request to {CredentialEndpoint}"); | ||
| _logger.Verbose(() => $"[Credential Probe] Request Headers: {string.Join(", ", request.Headers)}"); | ||
|
There was a problem hiding this comment. It's a little dangerous to log headers and body. Maybe don't do it unless we really need it. |
||
| _logger.Verbose(() => $"[Credential Probe] Request Body: {ProbeBody}"); | ||
|
|
||
| try | ||
| { | ||
| HttpResponse response = await _httpManager.SendRequestAsync( | ||
| request.ComputeUri(), | ||
| request.Headers, | ||
| httpContent, | ||
| request.Method, | ||
| _logger, | ||
| doNotThrow: true, | ||
| mtlsCertificate: null, | ||
| customHttpClient: null, | ||
| cancellationToken).ConfigureAwait(false); | ||
|
|
||
| LogResponseDetails(response); | ||
|
|
||
| return EvaluateProbeResponse(response); | ||
|
There was a problem hiding this comment. Is it worth recording in telemetry about this? I guess we will know MSAL version and MSI source already - will this be enough? There was a problem hiding this comment. Your spec states that a retry mechanism needs to be used. This doesn't seem implemented.
|
||
| } | ||
| catch (Exception ex) | ||
| { | ||
| _logger.Error($"[Credential Probe] Exception during probe: {ex.Message}"); | ||
|
There was a problem hiding this comment. It's not really an error is it? It is part of the normal flow. It will confuse ppl. We've did this before in regional and ppl complained that the logs are too noisy. Pls use info level. I also recommend you do not print the full exception here, just the message should be suficient. |
||
| _logger.Error($"[Credential Probe] Stack Trace: {ex.StackTrace}"); | ||
| return false; | ||
| } | ||
| } | ||
|
|
||
| private void LogResponseDetails(HttpResponse response) | ||
| { | ||
| if (response == null) | ||
| { | ||
| _logger.Error("[Credential Probe] No response received from the server."); | ||
|
|
||
| return; | ||
| } | ||
|
|
||
| _logger.Info($"[Credential Probe] Response Status Code: {response.StatusCode}"); | ||
| _logger.Verbose(() => $"[Credential Probe] Response Headers: {string.Join(", ", response.HeadersAsDictionary)}"); | ||
|
|
||
| if (response.Body != null) | ||
| { | ||
| _logger.Verbose(() => $"[Credential Probe] Response Body: {response.Body}"); | ||
|
There was a problem hiding this comment. avoid printing entire reponse body. it could have PII or worse, some secrets. |
||
| } | ||
| } | ||
|
|
||
| private bool EvaluateProbeResponse(HttpResponse response) | ||
| { | ||
| if (response == null) | ||
| { | ||
| _logger.Error("[Credential Probe] No response received from the server."); | ||
| return false; | ||
| } | ||
|
|
||
| _logger.Info($"[Credential Probe] Evaluating response from credential endpoint. Status Code: {response.StatusCode}"); | ||
|
|
||
| if (response.HeadersAsDictionary.TryGetValue("Server", out string serverHeader) && | ||
| serverHeader.StartsWith(ImdsHeader, StringComparison.OrdinalIgnoreCase)) | ||
| { | ||
| _logger.Info($"[Credential Probe] Credential endpoint supported. Server Header: {serverHeader}"); | ||
| return true; | ||
| } | ||
|
|
||
| _logger.Warning($"[Credential Probe] Credential endpoint not supported. Status Code: {response.StatusCode}"); | ||
| return false; | ||
| } | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gladjohn - we discussed that you'd start a feature branch? The base branch for this PR is main.